Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see Remarks, filed 10-07-2022, with respect to 101 (non-statutory) rejection have been fully considered and are persuasive.  This rejection has been withdrawn. 
Applicant’s arguments with respect to claim(s) rejected under 101 (abstract idea) have been considered but are moot but are reconsidered based on applicant’s arguments and in light of new amendments. The rejection under 101 (abstract idea) is revised and maintained.
Applicant’s arguments, see Remarks, filed 10-07-2022, with respect to the rejection(s) of claim(s) 1-30 under 102 have been fully considered and are moot.  Therefore, the 102 rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of applicant’s arguments and in light of new amendments.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08-01-2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 11 and 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The recitation in claims: “monitoring and logging, by a plurality of security-relevant subsystems, their respective activity with respect to a computing platform;” – the word ‘their’ appears to confuse and contributes to attribution of different interpretations. It is not clear if ‘their’ refers to the security-relevant subsystems monitor and log their own activity (self-assessment) as its placement is close to those subsystems OR if they do so for the computing platform that they administer. The word shall be removed and the specification does not support such language. For interpretation purposes for search and prior art rejection – it is considered that the security system monitors and logs the activities of computing platform. Therefore all the corresponding dependent claims are also rejected for the same rationale.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 30 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites monitoring and logging, by a plurality of security-relevant subsystems, their respective activity with respect to a computing platform; monitoring a plurality of sources to identify suspect activity within the computing platform, the plurality of sources including log files maintained by one or more of the plurality of security- relevant subsystems; detecting a security event within the computing platform based upon the identified suspect activity; rendering a threat mitigation user interface that identifies objects within the computing platform in response to the security event; and enabling a third-party to gather artifacts concerning an object within the threat mitigation user interface.
Step 1: The claims 1, 11 and 21 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 11 and 21 recites: rendering a threat mitigation user interface that identifies objects within a computing platform in response to a security event; and enabling a third-party to gather artifacts concerning an object within the threat mitigation user interface, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human mind and / or with pen and paper without a generic computer. Except for words ‘A computer program product residing on a non-transitory computer readable medium having a plurality of instructions stored thereon which, when executed by a processor…, A computing system including a processor and memory’ in claims 11 and 21 respectively, there is nothing in the claim element precludes the step from practically being performed in human mind and/or with pen and paper. For example, tracking the activity log(s) of different devices and obtaining various information, in any office or campus shall also be perceived to be done manually by human in an orderly fashion with/without general purpose computer. In the context of these claims encompasses rendering on UI and request a vendor/third-party to gather more information accordingly. 
Dependent claims 2 – 10, 12 – 20 and 22 – 30 which in turn recite about artifacts such as raw data; screen shots; graphics; notes; annotations; audio recordings; and video recordings, enabling the third-party to store the artifacts, enabling the third-party to provide the artifacts to another party, inspection window is a popup or slide out inspection window, monitoring a plurality of sources to identify suspect activity etc. is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in a human mind but for the recitation of generic computer components, then it falls within the “mental processes” grouping of abstract ideas and can be done manually. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: monitoring and logging, by a plurality of security-relevant subsystems, their respective activity with respect to a computing platform; monitoring a plurality of sources to identify suspect activity within the computing platform, the plurality of sources including log files maintained by one or more of the plurality of security- relevant subsystems; detecting a security event within the computing platform based upon the identified suspect activity; rendering a threat mitigation user interface that identifies objects within the computing platform in response to the security event; and enabling a third-party to gather artifacts concerning an object within the threat mitigation user interface. The steps are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (spec. [00276]) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea. Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, monitoring and logging, by a plurality of security-relevant subsystems, their respective activity with respect to a computing platform; monitoring a plurality of sources to identify suspect activity within the computing platform, the plurality of sources including log files maintained by one or more of the plurality of security- relevant subsystems; detecting a security event within the computing platform based upon the identified suspect activity; rendering a threat mitigation user interface that identifies objects within the computing platform in response to the security event; and enabling a third-party to gather artifacts concerning an object within the threat mitigation user interface, amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 2 – 10, 12 – 20 and 22 – 30 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1 – 30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hogg et al (US 10592938), hereafter Hogg and Weber et al (US 20100115617), hereafter Web.
Claim 1: Hogg teaches a computer-implemented method, executed on a computing device, comprising: monitoring and logging, by a plurality of security-relevant subsystems, their respective activity with respect to a computing platform; (C48L27-32: monitors the data source and categorizes the information pertaining to various exploits contained therein according to the attack vector utilized by a given exploit, identifies the peer group or industry that the exploit was utilized against, and, for every given peer group or industry (abstract) and produces a respective domain-level vulnerability score);monitoring a plurality of sources to identify suspect activity within the computing platform, the plurality of sources including log files maintained by one or more of the plurality of security-relevant subsystems; (C2L28-30, 34-46: enable an automated or semi-automated cyber security resilience evaluation, enable end users to identify weaknesses across a number of security domains, sub-domain and performs vulnerability assessments; C10L51-59: a tool that operates against a file system of a computer to identify files that match certain patterns (i.e., log files), ...where the patterns indicate compromise of the system, a tool that continuously monitors the "attack surface" of an enterprise such as URL and URI access points, Internet Protocol address ranges of an enterprise and identify any changes);rendering a threat mitigation user interface that identifies objects within [[a]] the computing platform in response to [[a]] the security event; (C2L33-35: assessment provided by the platform include a graphical display enabling an end user to identify weaknesses across a number of security domains... enterprise is assessed in view of a target vulnerability rating and/or peer benchmark vulnerability ratings to enable visual comparison of the enterprise's present state and (C16L549-53) the process is used in connection with assessing cyber security threat exposure, the platform operates on behalf of a provider of "smart" networking devices that detect malicious activity);
and enabling a third-party to gather artifacts concerning an object within the threat mitigation user interface. (C9L11-30: the vulnerability assessment is conducted by a third-party field agents engaged or otherwise assigned by the operators of the platform which operate on-site at the enterprise... observing operations and behaviors, and performing cyber exploration, penetration, and vulnerability examinations).
Hogg is not explicit about detecting a security event within the computing platform based upon the identified suspect activity;
But analogous art Web teaches detecting a security event within the computing platform based upon the identified suspect activity; ([082-90, Fig. 11] denial of service detection process detects bandwidth attacks (i.e., security event) against a host based on examining both packet count and byte count to determine whether a host is a potential DoS victim... and based on conditions being satisfied (whether or not the host has a historically high variance in inbound packet rate, if incoming packet count is above a certain threshold etc.) (i.e., suspect activity), then the process increases the severity of the reported event).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hogg to include the idea of detecting security event based on suspect event as taught by Web thus examines host activity over a sufficiently long enough period of time to detect stealthy scans ([0100]).
Claim 2: Hogg teaches the computer-implemented method of claim 1 wherein the artifacts include one or more of: raw data; screen shots; graphics; notes; annotations; audio recordings; and video recordings. (C12L51-52, Fig. 4A: shows example screen shot of a user interface for assessment of vulnerability).
Claim 3: Hogg teaches the computer-implemented method of claim 1 further comprising: enabling the third-party to store the artifacts within a defined storage location. (C34L38-44: field team record information related to the operations as findings pertaining to the enterprise via a field agent user interface that is presented on a portable computing device, such as computing devices of fig. lA. The data entered via the field agent user interface is stored in a service data store of fig. lA).
Claim 4: Hogg teaches the computer-implemented method of claim 1 further comprising: enabling the third-party to provide the artifacts to another party. (C9L35-45: a field agent makes modifications via UI, for presentation to other field agents conducting vulnerability assessments in the future. Executive(s) from the enterprise, such as the Chief Information Security Officer (CISO) can access and manage the vulnerability findings).
Claim 5: Hogg teaches the computer-implemented method of claim 1 further comprising: enabling the third-party to select an object within the threat mitigation user interface, thus defining a selected object; and rendering an inspection window that defines object information concerning the selected object. (C9L23-45: the user interface permits a given field agent assessing a particular enterprise to select from among thousands of potential findings and those findings are organized under security domains according to various organizational schemes selected by the enterprise for its convenience and (C21L27-28) the number of navigation elements to be displayed is discernible).
Claim 6: Hogg teaches the computer-implemented method of claim 5 wherein the inspection window is a popup inspection window. (C39L26-28: results in presentation of a user interface (a pop-up window) presenting the information entered via the user interface).
Claim 7: Hogg teaches the computer-implemented method of claim 5 wherein the inspection window is a slide out inspection window. (C44L1-10, Fig. 10: the slider element represents the "Data" security domain, while the slider represents the "Physical Spaces" security domain, and so on).
Claim 8: Hogg teaches the computer-implemented method of claim 5 wherein enabling a third-party to gather artifacts concerning an object within the threat mitigation user interface includes: enabling the third-party to gather artifacts concerning an object within the inspection window. (C9L11-30: the vulnerability assessment is conducted by a third-party field agents engaged or otherwise assigned by the operators of the platform which operate on-site at the enterprise... observing operations and behaviors, and performing cyber exploration, penetration, and vulnerability examinations).
Claim 9: Hogg teaches the computer-implemented method of claim 1 further comprising: detecting the security event within the computing platform based upon identified suspect activity. (C2L33-35: assessment provided by the platform include a graphical display enabling an end user to identify weaknesses across a number of security domains... enterprise is assessed in view of a target vulnerability rating and/or peer benchmark vulnerability ratings to enable visual comparison of the enterprise's present state).
Claim 10: Hogg teaches the computer-implemented method of claim 9 wherein detecting the security event within the computing platform based upon identified suspect activity includes: monitoring a plurality of sources to identify suspect activity within the computing platform. (C10L40-60: Such digital forensic services include a tool that operates against a file system of a computer to identify files that match certain patterns, defined by regular expressions, which are defined by the user, where the patterns indicate compromise of the system and/or a tool that continuously monitors the "attack surface" of an enterprise and/or Uniform Resource Indicator access points, Internet Protocol address ranges of an enterprise and identify any changes).
Claim 11: Hogg teaches a computer program product residing on a non-transitory computer readable medium having a plurality of instructions stored thereon which, when executed by a processor, cause the processor to perform operations comprising: monitoring and logging, by a plurality of security-relevant subsystems, their respective activity with respect to a computing platform; monitoring a plurality of sources to identify suspect activity within the computing platform, the plurality of sources including log files maintained by one or more of the plurality of security- relevant subsystems; rendering a threat mitigation user interface that identifies objects within [[a]] the computing platform in response to [[a]] the security event; and enabling a third-party to gather artifacts concerning at least one object within the threat mitigation user interface. (C48L27-32: monitors the data source and categorizes the information pertaining to various exploits contained therein according to the attack vector utilized by a given exploit, identifies the peer group or industry that the exploit was utilized against, and, for every given peer group or industry (abstract) and produces a respective domain-level vulnerability score; C2L28-30, 34-46: enable an automated or semi-automated cyber security resilience evaluation, enable end users to identify weaknesses across a number of security domains, sub-domain and performs vulnerability assessments; C10L51-59: a tool that operates against a file system of a computer to identify files that match certain patterns (i.e., log files), ...where the patterns indicate compromise of the system, a tool that continuously monitors the "attack surface" of an enterprise such as URL and URI access points, Internet Protocol address ranges of an enterprise and identify any changes; C2L33-35: assessment provided by the platform include a graphical display enabling an end user to identify weaknesses across a number of security domains... enterprise is assessed in view of a target vulnerability rating and/or peer benchmark vulnerability ratings to enable visual comparison of the enterprise's present state and (C16L549-53) in which the process is used in connection with assessing cyber security threat exposure, the platform operates on behalf of a provider of "smart" networking devices that detect malicious activity; C9L11-30: the vulnerability assessment is conducted by a third-party field agents engaged or otherwise assigned by the operators of the platform which operate on-site at the enterprise... observing operations and behaviors, and performing cyber exploration, penetration, and vulnerability examinations).
Hogg is not explicit about detecting a security event within the computing platform based upon the identified suspect activity;
But analogous art Web teaches detecting a security event within the computing platform based upon the identified suspect activity; ([082-90, Fig. 11] denial of service detection process detects bandwidth attacks (i.e., security event) against a host based on examining both packet count and byte count to determine whether a host is a potential DoS victim... and based on conditions being satisfied (whether or not the host has a historically high variance in inbound packet rate, if incoming packet count is above a certain threshold etc.) (i.e., suspect activity), then the process increases the severity of the reported event).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hogg to include the idea of detecting security event based on suspect event as taught by Web thus examines host activity over a sufficiently long enough period of time to detect stealthy scans ([0100]).
Claim 12: Hogg teaches the computer program product of claim 11 wherein the artifacts include one or more of: raw data; screen shots; graphics; notes; annotations; audio recordings; and video recordings. (C12L51-52, Fig. 4A: shows example screen shot of a user interface for assessment of vulnerability).
Claim 13: Hogg teaches the computer program product of claim 11 further comprising: enabling the third-party to store the artifacts within a defined storage location. (C34L38-44: field team record information related to the operations as findings pertaining to the enterprise via a field agent user interface that is presented on a portable computing device, such as computing devices of fig. lA. The data entered via the field agent user interface is stored in a service data store of fig. lA).
Claim 14: Hogg teaches the computer program product of claim 11 further comprising: enabling the third-party to provide the artifacts to another party. (C9L35-45: a field agent makes modifications via UI, for presentation to other field agents conducting vulnerability assessments in the future. Executive(s) from the enterprise, such as the Chief Information Security Officer (CISO) can access and manage the vulnerability findings).
Claim 15: Hogg teaches the computer program product of claim 11 further comprising: enabling the third-party to select an object within the threat mitigation user interface, thus defining a selected object; and rendering an inspection window that defines object information concerning the selected object. (C9L23-45: the user interface permits a given field agent assessing a particular enterprise to select from among thousands of potential findings and those findings are organized under security domains according to various organizational schemes selected by the enterprise for its convenience and (C21L27-28) the number of navigation elements to be displayed is discernible).
Claim 16: Hogg teaches the computer program product of claim 15 wherein the inspection window is a popup inspection window. (C39L26-28: results in presentation of a user interface (a pop-up window) presenting the information entered via the user interface).
Claim 17: Hogg teaches the computer program product of claim 15 wherein the inspection window is a slide out inspection window. (C44L1-10, Fig. 10: the slider element represents the "Data" security domain, while the slider represents the "Physical Spaces" security domain, and so on).
Claim 18: Hogg teaches the computer program product of claim 15 wherein enabling a third-party to gather artifacts concerning at least one object within the threat mitigation user interface includes: enabling the third-party to gather artifacts concerning the at least one object within the inspection window. (C9L11-30: the vulnerability assessment is conducted by a third-party field agents engaged or otherwise assigned by the operators of the platform which operate on-site at the enterprise... observing operations and behaviors, and performing cyber exploration, penetration, and vulnerability examinations).
Claim 19: Hogg teaches the computer program product of claim 11 further comprising: detecting the security event within the computing platform based upon identified suspect activity. (C2L33-35: assessment provided by the platform include a graphical display enabling an end user to identify weaknesses across a number of security domains... enterprise is assessed in view of a target vulnerability rating and/or peer benchmark vulnerability ratings to enable visual comparison of the enterprise's present state).
Claim 20: Hogg teaches the computer program product of claim 19 wherein detecting the security event within the computing platform based upon identified suspect activity includes: monitoring a plurality of sources to identify suspect activity within the computing platform. (C10L40-60: Such digital forensic services include a tool that operates against a file system of a computer to identify files that match certain patterns, defined by regular expressions, which are defined by the user, where the patterns indicate compromise of the system and/or a tool that continuously monitors the "attack surface" of an enterprise and/or Uniform Resource Indicator access points, Internet Protocol address ranges of an enterprise and identify any changes).
Claim 21: Hogg teaches a computing system including a processor and memory configured to perform operations comprising: monitoring and logging, by a plurality of security-relevant subsystems, their respective activity with respect to a computing platform; monitoring a plurality of sources to identify suspect activity within the computing platform, the plurality of sources including log files maintained by one or more of the plurality of security- relevant subsystems; rendering a threat mitigation user interface that identifies objects within [[a]] the computing platform in response to [[a]] the security event; and enabling a third-party to gather artifacts concerning at least one object within the threat mitigation user interface. (C48L27-32: monitors the data source and categorizes the information pertaining to various exploits contained therein according to the attack vector utilized by a given exploit, identifies the peer group or industry that the exploit was utilized against, and, for every given peer group or industry (abstract) and produces a respective domain-level vulnerability score; C2L28-30, 34-46: enable an automated or semi-automated cyber security resilience evaluation, enable end users to identify weaknesses across a number of security domains, sub-domain and performs vulnerability assessments; C10L51-59: a tool that operates against a file system of a computer to identify files that match certain patterns (i.e., log files), ...where the patterns indicate compromise of the system, a tool that continuously monitors the "attack surface" of an enterprise such as URL and URI access points, Internet Protocol address ranges of an enterprise and identify any changes; C2L33-35: assessment provided by the platform include a graphical display enabling an end user to identify weaknesses across a number of security domains... enterprise is assessed in view of a target vulnerability rating and/or peer benchmark vulnerability ratings to enable visual comparison of the enterprise's present state and (C16L549-53) in which the process is used in connection with assessing cyber security threat exposure, the platform operates on behalf of a provider of "smart" networking devices that detect malicious activity; C9L11-30: the vulnerability assessment is conducted by a third-party field agents engaged or otherwise assigned by the operators of the platform which operate on-site at the enterprise... observing operations and behaviors, and performing cyber exploration, penetration, and vulnerability examinations).
Hogg is not explicit about detecting a security event within the computing platform based upon the identified suspect activity;
But analogous art Web teaches detecting a security event within the computing platform based upon the identified suspect activity; ([082-90, Fig. 11] denial of service detection process detects bandwidth attacks (i.e., security event) against a host based on examining both packet count and byte count to determine whether a host is a potential DoS victim... and based on conditions being satisfied (whether or not the host has a historically high variance in inbound packet rate, if incoming packet count is above a certain threshold etc.) (i.e., suspect activity), then the process increases the severity of the reported event).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hogg to include the idea of detecting security event based on suspect event as taught by Web thus examines host activity over a sufficiently long enough period of time to detect stealthy scans ([0100]).
Claim 22: Hogg teaches the computing system of claim 21 wherein the artifacts include one or more of: raw data; screen shots; graphics; notes; annotations; audio recordings; and video recordings. (C12L51-52, Fig. 4A: shows example screen shot of a user interface for assessment of vulnerability).
Claim 23: Hogg teaches the computing system of claim 21 further comprising: enabling the third-party to store the artifacts within a defined storage location. (C34L38-44: field team record information related to the operations as findings pertaining to the enterprise via a field agent user interface that is presented on a portable computing device, such as computing devices of fig. lA. The data entered via the field agent user interface is stored in a service data store of fig. lA).
Claim 24: Hogg teaches the computing system of claim 21 further comprising: enabling the third-party to provide the artifacts to another party. (C9L35-45: a field agent makes modifications via UI, for presentation to other field agents conducting vulnerability assessments in the future. Executive(s) from the enterprise, such as the Chief Information Security Officer (CISO) can access and manage the vulnerability findings).
Claim 25: Hogg teaches the computing system of claim 21 further comprising: enabling the third-party to select an object within the threat mitigation user interface, thus defining a selected object; and rendering an inspection window that defines object information concerning the selected object. (C9L23-45: the user interface permits a given field agent assessing a particular enterprise to select from among thousands of potential findings and those findings are organized under security domains according to various organizational schemes selected by the enterprise for its convenience and (C21L27-28) the number of navigation elements to be displayed is discernible).
Claim 26: Hogg teaches the computing system of claim 25 wherein the inspection window is a popup inspection window. (C39L26-28: results in presentation of a user interface (a pop-up window) presenting the information entered via the user interface).
Claim 27: Hogg teaches the computing system of claim 25 wherein the inspection window is a slide out inspection window. (C44L1-10, Fig. 10: the slider element represents the "Data" security domain, while the slider represents the "Physical Spaces" security domain, and so on).
Claim 28: Hogg teaches the computing system of claim 25 wherein enabling a third-party to gather artifacts concerning at least one object within the threat mitigation user interface includes: enabling the third-party to gather artifacts concerning the at least one object within the inspection window. (C9L11-30: the vulnerability assessment is conducted by a third-party field agents engaged or otherwise assigned by the operators of the platform which operate on-site at the enterprise... observing operations and behaviors, and performing cyber exploration, penetration, and vulnerability examinations).
Claim 29: Hogg teaches the computing system of claim 21 further comprising: detecting the security event within the computing platform based upon identified suspect activity. (C2L33-35: assessment provided by the platform include a graphical display enabling an end user to identify weaknesses across a number of security domains... enterprise is assessed in view of a target vulnerability rating and/or peer benchmark vulnerability ratings to enable visual comparison of the enterprise's present state).
Claim 30: Hogg teaches the computing system of claim 29 wherein detecting the security event within the computing platform based upon identified suspect activity includes: monitoring a plurality of sources to identify suspect activity within the computing platform. (C10L40-60: Such digital forensic services include a tool that operates against a file system of a computer to identify files that match certain patterns, defined by regular expressions, which are defined by the user, where the patterns indicate compromise of the system and/or a tool that continuously monitors the "attack surface" of an enterprise and/or Uniform Resource Indicator access points, Internet Protocol address ranges of an enterprise and identify any changes).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 



Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/BADRINARAYANAN /P'Examiner, Art Unit 2496.