DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
With respect to Applicant’s amendment of the specification with regards to minor informalities, objections with respect to the same have been withdrawn.
With respect to Applicant’s amendment of claims 1-3, 5, 11-14 and 16-19 with regards to minor informalities, the claim objections with respect to the same have been withdrawn.
Claim Objections
Claims 6 and 11 are objected to because of the following informalities:  
Claim 6, line 2, should –the-- be inserted before “memory”? See claim 1.

Claim 11, lines 5-6, “the preconfigured penetration test script” lacks proper antecedent basis.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-9, 11-15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gorodissky et al. (US PGPUB 2019/0245883; hereinafter “Gorodissky”) in view of Malla et al. (US PGPUB 2018/0173606; hereinafter “Malla”), in view of Porcello et al. (US PGPUB 2013/0014263; hereinafter “Porcello”) and in view of Douglas et al. (US PGPUB 2015/0261658; hereinafter “Douglas”).
Claim 1: (Currently Amended)
Gorodissky teaches a penetration testing device comprising: 
a memory; and a processor that is arranged to perform operations including ([0289] “The penetration testing system comprises: a. a remote computing device comprising a computer memory and one or more processors.” [0405] “steps a-h is performed by executing computer code of the penetration testing software module by one or more processors of the remote computing device.”): 
if the determined mode of operation is the headless mode ([0209] “A method of penetration testing of a networked system by a penetration testing system that is controlled by a user interface of a computing device so that a penetration testing campaign is executed according to an automatic selecting of one or more goals of an attacker of the penetration testing campaign,” wherein the “penetration testing” utilizing “automatic selecting” is the “headless mode”.): 
determining a penetration test script customized for a target application ([0038] “A specific run of a specific test of a specific networked system by a penetration testing system is called a ‘campaign’ of that penetration testing system,” wherein the “campaign” is the “test script”. [0209] “the method comprising: a. determining, by the penetration testing system, a type of the attacker of the penetration testing campaign; b. automatically selecting, by the penetration testing system and according to the type of the attacker of the penetration testing campaign, one or more goals of the attacker.” [0648] “Seventeen (17) examples of goals of an attacker are listed below:” [0664] “P. compromising a given number of network nodes, all of which are members of a pre-defined subset of the nodes of the tested networked system. The pre-defined subset may be, for example, all the nodes running the Windows 7 Operating system,” wherein the “Windows 7 Operating system” is the “target application”. Further, [0099] “For example, the penetration testing system may have in its knowledge base a rule saying that a network node running the Windows 7 Operating System might be compromised by sending it a specific network message through a specific Internet port.”); 
in response to receiving an instruction to perform an autonomous penetration test, executing the penetration test script to perform the autonomous penetration test on the target application ([0209] “c. executing the penetration testing campaign, by the penetration testing system and according to i. the type of the attacker of the penetration testing campaign, and ii. the automatically selected one or more goals, so as to test the networked system”); 
based on results of the autonomous penetration test, compiling data indicative of security vulnerabilities in the target application ([0209] “d. reporting, by the penetration testing system, at least one security vulnerability determined to exist in the networked system by the executing of the penetration testing campaign, wherein the reporting comprises at least one of (i) causing a display device to display a report describing the at least one security vulnerability, and (ii) electronically transmitting a report describing the at least one security vulnerability.”); and 
storing the compiled data in the memory ([0280] “wherein the reporting comprises at least one of … (ii) recording the report including the information about the determined method for the attacker to compromise the networked system in a file”); and 
if the determined mode of operation is the remote mode ([0120] “A method of penetration testing of a networked system by a penetration testing system that is controlled by a user interface of a computing device so that a penetration testing campaign is executed according to one or more manually and explicitly-selected capabilities of an attacker of the penetration testing campaign,” wherein the “penetration testing” utilizing “manually selecting” is the “headless mode”.): 
establishing a connection between the penetration testing device and a remote computing device ([0721] “the console may be associated with a separate computing device that is different from the remote computing device executing the campaign and is in communication with it.”); 
receiving from the remote computing device instructions for performing a remote penetration test on the target application ([0120] “the method comprising: receiving, by the penetration testing system and via the user interface of the computing device, one or more manually-entered inputs, the one or more manually-entered inputs explicitly selecting one or more capabilities of the attacker of the penetration testing campaign.” [0721] “the user performs all the above selections by operating a console with a GUI supporting all the functions described above”); 
performing the remote penetration test instructions to determine the security vulnerabilities of the target application ([0120] “executing the penetration testing campaign, by the penetration testing system and according to the manually and explicitly-provided selection of the one or more capabilities of the attacker, so as to test the networked system”); and 
providing the remote computing device with a compilation of the security vulnerabilities ([0120] “reporting, by the penetration testing system, at least one security vulnerability determined to exist in the networked system by the executing of the penetration testing campaign, wherein the reporting comprises at least one of (i) causing a display device to display a report describing the at least one security vulnerability, and (ii) electronically transmitting a report describing the at least one security vulnerability.”).

With further regard to Claim 1, Gorodissky does not teach the following, however, Malla teaches:
determining a mode of operation for the penetration testing device from one of a headless mode and a remote mode ([0108] “The user may also select a mode of navigation to be used in the testing automation framework. In this regard, the testing automation framework logic 32 includes input logic configured to allow the user to make one or more of the above selections, as well as to allow the user to select a navigation mode from (i) an assisted automation mode; (ii) a semi-automation mode; and (iii) a manual traversal mode.” [0110] “The core engine, namely the test execution module 39, for driving the automation may be operated in an assisted automation mode with the user initiating a page component builder and automated script generation with no recorder or manual intervention by the user or alternatively levels of manual involvement can be opted for by the user. FIG. 8 shows in steps 258-272 the latter approach that involves a certain level of manual intervention in terms of the field type being selected and will be described below. FIGS. 9-10 on the other hand shows the former approach and shows a more automated approach.”); and
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the device as disclosed by Gorodissky with the mode determination as taught by Malla “in order to at least ease the initial scripting efforts to improve the initial productivity as well as, at the same time, put in place a framework that can substantially reduce the subsequent maintenance efforts” (Malla [0063]).

With further regard to Claim 1, Gorodissky in view of Malla does not teach the following, however, Porcello teaches:
wherein the established connection between the penetration testing device and a remote computing device is a secure connection ([0006] “a system for performing a security audit of a target network, and the target network includes a communication link. The system includes a device capable of establishing a connection to the target network through the communication link and the device has reverse tunneling capabilities for establishing a secure tunnel over the Internet. The secure tunnel may be encrypted via SSH. Also, the system includes a receiving computer connected to the device through the secure tunnel established by the device over the Internet. Once connected to the device, the receiving computer may send commands to the device for performing the security audit of the target network,” wherein the “device” is the “penetration testing device” and further wherein the “receiving computer” is the “remote computing device”.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the device as disclosed by Gorodissky in view of Malla with the secure connection as taught by Porcello since “What is needed is a network security auditing system and method that allows a penetration testing company to remotely gain access to a target network securely over the Internet” (Porcello [0005]).

With further regard to Claim 1, Gorodissky in view of Malla and Porcello does not teach the following, however, Douglas teaches:
determining availability of one or more penetrating testing resources for conducting a penetration test ([0012] “The systems and/or methods may automatically monitor the availability of resources of the cloud test device... Although implementations are described herein in connection with performing tests in a cloud computing environment, the systems and/or methods may be utilized for performing tests in other types of environments where there is a pool of resources for executing the tests.” [0019] “queue manager 222 may receive, from resource manager 223, resource availability information associated with resources of cloud test device 240.”); and
determining, based on the availability, a mode of operation for the penetration testing device ([0042] “queue manager 222 may determine whether the request to test the software can be executed by cloud test device 240 based on types of resources (e.g., a type of processor, memory, etc.) needed for the test, a number of resources needed for the test.” [0044] “if a next request in the queue cannot be processed because the required resources for the next request are unavailable, queue manager 222 may determine whether a request after the next request can be processed with the available resources of cloud test device 240,” wherein the processing of a first or second test request dependent on available testing resources in Douglas has been interpreted, in combination with the above teachings of Gorodissky in view of Malla and Porcello, as “determining… a mode of operation for the penetration testing device” as claimed.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the device as disclosed by Gorodissky in view of Malla and Porcello with the testing based on resource availability as taught by Douglas in order to “enable scheduling server 220 to intelligently queue requests, cause multiple low utilization requests to execute simultaneously, etc” (Douglas [0005]).

Claim 2: (Currently Amended)
Gorodissky in view of Malla, Porcello and Douglas teaches the device of claim 1. Gorodissky in view of Malla and Douglas does not teach the following, however, Porcello further teaches wherein determining the penetration test script for the target application comprises:
receiving a preconfigured penetration test script from a removable media device connected to the penetration testing device ([0025] “a SDHC/SDIO card slot 16 … is disposed on the device. Use of an extra SD card with the device may be required for larger exploit collections, wordlists, and the like.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the device as disclosed by Gorodissky in view of Malla and Douglas with the use of a removable media device for storage as taught by Porcello since “for disk expansion” (Porcello [0005]).

Claim 3: (Currently Amended)
Gorodissky in view of Malla, Porcello and Douglas teaches the device of claim 1 and Gorodissky further teaches wherein determining the penetration test script comprises: 
providing one or more values for one or more parameters in a template script stored in the memory; and based on the one or more values and the template script, generating the penetration test script ([0038] “A collection of values for all information items a penetration testing system must know before executing a campaign is called ‘specifications of the campaign’ or ‘scenario’. For example, the type of the attacker and the goal of the attacker are specific information items of a campaign, and specific values for them are parts of the specifications of any campaign.” [0451] “the first penetration testing campaign is based on a first scenario template” [1330] “1. receiving, by the penetration testing system and via the user interface of the computing device, one or more manually-entered inputs… to be used for validating vulnerabilities in a penetration testing campaign that is based on the common scenario template.”).

Claim 4:	
Gorodissky in view of Malla, Porcello and Douglas teaches the device of claim 3 and Gorodissky further teaches wherein the one or more parameters comprise: an IP range, DNS data, a scan option, and an intensity setting ([0179] “receiving, by the penetration testing system and via the user interface of the computing device, one or more manually-entered inputs, the one or more manually-entered inputs explicitly selecting one or more goals of the attacker of the penetration testing campaign, wherein at least one goal of the one or more goals satisfies at least one condition selected from the group consisting of: i. the at least one goal is a resource-specific goal.” [1388] “32.’a resource-specific goal of an attacker’—A goal of the attacker that has a characteristic of being associated with a specific resource in the tested networked system… The specific resource may be identified by … an address (e.g. a network address of a peripheral device),” wherein the “network address” is an “IP range”.).

Claim 6:	
Gorodissky in view of Malla, Porcello and Douglas teaches the device of claim 1 and Gorodissky further teaches wherein information indicative of one or more protocols are stored in memory, and wherein the penetration testing device supports the one or more protocols ([0062] “Another example of an opportunistic vulnerability is when a transmission by a network node of a certain message type of a certain network protocol creates an opportunity for attackers to respond with a malicious reply message, which leads to compromising of the network node.” [0942] “the penetration testing server may employ a pre-defined rule according to which, if a hostile node (already compromised by the attacker) is able to capture a WPAD [Web Proxy Auto-Discovery protocol] request from another node and the browser submitting the request is Internet Explorer version 8.0 or earlier, it can be assumed that the attack would succeed.”).

Claim 7:	
Gorodissky in view of Malla, Porcello and Douglas teaches the device of claim 1 and Gorodissky further teaches wherein executing the penetration test script comprises: 
scanning the target application to map the target application ([1083] In step S4205 as performed by node N103, the following data is transmitted at 11:04 AM from node N103 to remote computing device 252.” [1085] “(ii) whether or not Port XYZ of node N103 is currently open to receive incoming network messages” [1157] “an attacker can determine which Internet ports are open in a not-yet-compromised node by instructing an already-compromised node to run a port scanning operation on the not-yet-compromised node. However, it is more efficient for the penetration testing system to obtain the open ports list directly from the agent installed on the not-yet-compromised node”); 
based on a map of the target application, performing a series of tests to identify and evaluate potential vulnerabilities ([1073] “II. LOGIC of S4313—a target node is deemed to be a node that could be successfully compromised by using the Bad 7 Trojan vulnerability (i.e. in step S4313) if and only all of the following conditions are true (in addition to the Windows 7 condition that was already checked in step S4305):” [1074] “A. A given Microsoft® security patch must not been installed on the node” [1075] “B. Port XYZ is open to receive incoming network messages” [1078] “In step S4301 (performed at 11:01 AM) the remote computing device selects a node having a direct connection to the outside world” [1080] “Because Node N103 is a Windows® 7 node, the potential vulnerability selected (i.e. according to LOGIC of S4305) in step S4305 is the Bad 7 Trojan Vulnerability.”); and 
determining which of the potential vulnerabilities are the security vulnerabilities ([1083] “the following data is transmitted at 11:04 AM from node N103 to remote computing device” [1084] “(i) whether or not the given Microsoft security patch has been installed on node N103” [1085] “(ii) whether or not Port XYZ of node N103 is currently open to receive incoming network messages” [1089] “in step S4313, when the entry for the Bad 7 Trojan Vulnerability of the VDB is applied to the data for node N103 received in step S4309, the result is YES (i.e. the vulnerability would succeed in compromising node N103)—this is according to LOGIC of S4313.” [1090] “In step S4317 a method for an attacker to compromise the target network node N103 is determined to be sending to port XYZ of node N103 a specific network message causing node N103 to download (i.e. from a known repository of Bad 7 Trojan) and execute the Bad 7 Trojan malicious code.”).

Claim 8:	
Gorodissky in view of Malla, Porcello and Douglas teaches the device of claim 7 and Gorodissky further teaches wherein the series of tests comprise a test to validate false positives ([0393] “For each target node, the validation decisions are left to the remote computing device, rather than to the target node. Towards this end, the remote computing device hosts and/or implements both (i) a vulnerabilities knowledge base and (ii) validation logic for the potential vulnerabilities. For each validation to be decided for a given potential vulnerability and for a given target node, the remote computing device applies the decision logic associated with the given potential vulnerability according to the vulnerabilities knowledge base using data obtained from the target node, including internal data of the target node.”).

Claim 9:	
Gorodissky in view of Malla, Porcello and Douglas teaches the device of claim 7 and Gorodissky further teaches wherein the series of tests evaluate whether any of the potential vulnerabilities are known exploitable vulnerabilities ([0083] “A penetration testing system has a frequent need to identify a vulnerability that would compromise a given network node. This identification is typically achieved by using a pre-compiled knowledge base about known vulnerabilities, that depends on characteristics of the given network node. In one example related to the Bad 7 Trojan, the penetration testing system may have in its knowledge base a rule saying that a network node running the Windows 7 Operating System might be compromised by sending it a specific network message through a specific Internet port.”).

Claim 11: (Currently Amended)
Gorodissky in view of Malla, Porcello and Douglas teaches the device of claim 1 and Gorodissky further teaches 
wherein the penetration testing device further comprises a display ([0026] “Computing device 110 may include a user-interface for receiving input from a user… and for visually displaying output. The user-interface (e.g. … (GUI)) of computing device 110 may thus include the combination of HID [human-interface device] device 140 … [and] display device 130.”), and 
wherein in response to receiving the instruction to perform the autonomous penetration test, executing the penetration test script to perform the autonomous penetration test on the target application comprises ([0209] “c. executing the penetration testing campaign, by the penetration testing system and according to i. the type of the attacker of the penetration testing campaign, and ii. the automatically selected one or more goals, so as to test the networked system”): 
providing on the display a selectable icon for initiating execution of the preconfigured penetration test script by the penetration testing device ([0730] “The step of manually selecting the capability may include the following steps: [0731] 1. automatically determining, by the penetration testing system, a recommendation for selecting a capability of the attacker; [0732] 2. presenting to the user, by the penetration testing system, the recommended capability”); and 
in response to determining that the selectable icon has been selected, generating the instruction to perform the autonomous penetration test ([0733] “3. manually approving, by the user and using the user interface of the computing device, to use the recommended capability as a capability of the attacker of the campaign.” [0728] “2. executing, by the penetration testing system, the campaign of the penetration testing system for testing the networked system, where the campaign is executed using the manually selected capability of the attacker;”).

Claims 12-15 and 17-20:
With regard to Claims 12-15 and 17-20, these claims are equivalent in scope to Claims 1-4 rejected above, merely having a different independent claim type, and as such Claims 12-15 and 17-20 are rejected under the same grounds and for the same reasons as discussed above with regard to Claims 1-4.
With further regard to Claim 12, the claim recites additional elements not specifically addressed in the rejection of Claim 1. The Gorodissky reference also anticipates these additional elements of Claim 12, for example, Gorodissky teaches:
a non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations ([0967] “The penetration testing storage medium 3214 may be a non-transitory computer readable storage medium, and includes instructions to be executed by processor(s) 3210 of remote computing device 3208.”).

Claims 5 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Gorodissky in view of Malla, Porcello and Douglas as applied to claims 1 and 12 above, and further in view of Meinhart (US PGPUB 2018/0303003; hereinafter “Meinhart”).
Claim 5: (Currently Amended)
Gorodissky in view of Malla, Porcello and Douglas teaches all the limitations of claim 1 as described above. Gorodissky in view of Malla, Porcello and Douglas does not teach the following, however, Meinhart teaches:
wherein the penetration testing device is housed in a rugged case, and wherein one or more connectors are integrated into the rugged case ([0050] “FIG. 6 shows a side view of the exemplary person-portable command and control system 101 showing … a view of various component interface ports,” see also Figs. 2 and 3 showing a plurality of external ports, i.e. connectors. [0080] “FIG. 26A shows a method for optimizing a one-person-portable command and control data center 101 for network penetration testing.” [0086] “An additional embodiment of the invention could include forming the case in such a manner so as to protect the internal components from environmental contamination through the use of seals and filters.” [0087] “An additional embodiment of the invention could include forming the case to make it more resistant to impact damage through the utilization of carbon fibers in the formation.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the device as disclosed by Gorodissky in view of Malla, Porcello and Douglas with the rugged case as taught by Meinhart since this “addresses a need for a compact, one-person portable data center with the ability to provide situational awareness and a communication infrastructure in a variety of austere environments and situations” (Meinhart [0003]).

Claim 16:
With regard to Claim 16, this claim is equivalent in scope to Claim 5 rejected above, merely having a different independent claim type, and as such Claim 16 is rejected under the same grounds and for the same reasons as discussed above with regard to Claim 5.	

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Gorodissky in view of Malla, Porcello and Douglas as applied to claim 1 above, and further in view of Futoransky et al. (US PGPUB 2014/0237606; hereinafter “Futoransky”).
Claim 10:
Gorodissky in view of Malla, Porcello and Douglas teaches all the limitations of claim 1 as described above. Gorodissky in view of Malla, Porcello and Douglas does not teach the following, however, Futoransky teaches:
wherein the series of tests detect vendor specific default credentials and remote login prompts ([0060] “authentication credentials for the different profiles that are associated to each web application included in the test (e.g., username and password).” [0099] “For example, the pentest task ticket may include the URI of a web-application hosted on an instance in EC2, the ID of this instance and the key-ID & key pair required to describe this instance; it may also include login credentials for the web application and other details defining the web-application pentest.” Further, see Claims 4 and 5 of Futoransky which respectively recite, “wherein the pentest definitions include machines and web applications owned by the user to be attacked and parameters defining the pentest” and “wherein the parameters include … default credentials to log into web applications to be attacked”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the device as disclosed by Gorodissky in view of Malla, Porcello and Douglas with the default credentials as taught by Futoransky as this “improves the mobility and granularity with which penetration testing and risk assessment chores can be serviced, while it brings in new opportunities for measuring security and comparing the security posture of those being tested” (Futoransky [0047]).

Response to Arguments
Applicant's arguments, see Pages 11-14 of the Remarks filed June 27, 2022, with respect to the rejections under 35 U.S.C. 103 of Claims 1-20 have been fully considered but they are not persuasive. With respect to the Applicant’s argument that the newly amended language of Claims 1, 12 and 17 is not taught by the previously cited prior art, this argument has been fully considered but is moot in view of the newly cited Douglas reference as discussed above in the respective rejections.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is as follows:
Khatibsyarbini et al. (“Test case prioritization approaches in regression testing: A systematic literature review,” 2018) discusses current test case prioritization approaches, wherein prioritization is discussed as being depending on criteria such as project schedule and available resources.
Baresi et al. (“An Introduction to Software Testing,” 2006) discusses the challenges associated with software testing, wherein it is noted that developing and enacting an effective quality testing process is not a simple task and requires the integration of quality-related activities with product characteristics, process organization, available resources and skills, and budget constraints.
	

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOANNE GONZALES MACASIANO whose telephone number is (571)270-7749. The examiner can normally be reached Monday to Thursday, 10:30 AM to 6:00 PM Eastern Standard Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hyung S. Sough can be reached on (571) 272-6799. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/J.G.M/Examiner, Art Unit 2194

/S. SOUGH/SPE, AU 2192/2194