G06F 21 is the Cooperative Patent Classification group that gathers the technology behind endpoint and system security — the malware detectors, intrusion detectors, access controls, and platform-integrity mechanisms that make up the defensive side of the industry. When an examiner places a patent in G06F 21, it is because the claimed contribution protects a computer and what runs on it, rather than the cryptography of a communication channel. The group sits within the G section (physics), the G06 class (computing and calculating), and the G06F subclass (electric digital data processing). Its official main-group title states the scope.

Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity— CPC group G06F 21/00, source

That title is the charter for the entire defensive-security family, and it draws a clean line against the cryptography class. G06F 21 protects the machine, the programs, and the data; H04L 9, by contrast, covers "cryptographic mechanisms ... for secret or secure communications." The two intersect at exactly one place worth noting: G06F 21/60, "Protecting data," and its child G06F 21/602, "Providing cryptographic facilities or services," handle the cryptographic protection of data on a device, which is why a patent on on-device encryption can land in G06F 21/602 rather than H04L 9. But the heart of G06F 21 is not cryptography — it is detection and control, the technology behind endpoint detection and response (EDR), extended detection and response (XDR), anti-malware engines, and access management.

How the subgroups map to security products

The subgroups of G06F 21 read almost like a product taxonomy. G06F 21/50 is "Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems" — the integrity-monitoring branch. Under it, G06F 21/55 is "Detecting local intrusion or implementing counter-measures," the intrusion-detection branch that underlies much of what EDR products do on the host. G06F 21/56 is "Computer malware detection or handling, e.g. anti-virus arrangements," and it carries the most product-relevant split in the whole class: G06F 21/562 is "Static detection" — analyzing a file's structure and content without running it — and G06F 21/566 is "Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities" — watching behavior as code executes, in a sandbox or on the live endpoint. That static-versus-dynamic divide is the same one security engineers draw between signature-and-structure analysis and behavioral detection, and the CPC encodes it directly into the classification. Elsewhere in the group, G06F 21/60 covers protecting data and G06F 21/62 covers controlling access to data, the access-control corner of the class.

Reading a real G06F 21 patent

A concrete example shows how the subgroups attach to actual claims. The granted patent US10657251B1, "Multistage system and method for analyzing obfuscated content for malware," assigned to FireEye, Inc., with a September 30, 2013 priority date and a May 19, 2020 grant, is classified under G06F 21/00, G06F 21/50, G06F 21/55, G06F 21/56, G06F 21/562, and G06F 21/566 — it touches both the static and the dynamic detection subgroups because its claims do both. Independent claim 1 is directed to "A system for detecting malicious content, comprising: a hardware storage device; a first component ... to receive content and determine whether native code of the content is accessible; a de-constructor ... to select an analysis technique that implements a de-compiler to access the native code and output a deconstructed representation of the received content; and a post-processor ... to ... determine whether the native code represented by the deconstructed representation ... is suspicious ... [and] establish a secure communication with a cloud computing service when the native code is determined to be suspicious ... to perform a dynamic analysis of the native code." The claim's structure tracks the classification: a de-constructor that makes obfuscated content accessible and inspects it (static detection, G06F 21/562) and a hand-off to cloud-based dynamic analysis when something looks suspicious (dynamic detection, G06F 21/566). The CPC symbols are not decoration; they encode the exact detection methods the claim recites.

The static-versus-dynamic split inside G06F 21/56 is worth dwelling on, because it is the distinction that most often separates one detection patent from another. Static detection (G06F 21/562) examines content without executing it — parsing file structure, extracting features, matching against known-bad patterns, and, as in the FireEye claim, de-obfuscating or de-compiling content to make hidden code inspectable. Dynamic detection (G06F 21/566) runs or emulates the content and watches what it does — the "suspicious activities" the subgroup title names, observed at run-time in a sandbox or on the endpoint itself. Modern detection products combine both, and a patent that claims a hand-off from static triage to dynamic analysis, the way US10657251B1 does, earns classification in both subgroups precisely because its claimed method spans the two stages. When you see G06F 21/562 and G06F 21/566 together on a record, that pairing is a reliable signal that the invention is a multi-stage detector rather than a single-technique one.

For mapping the defensive-security IP landscape, G06F 21 is the class to watch, and its subgroups are the resolution that makes the map useful. A vendor accumulating filings in G06F 21/566 is investing in run-time behavioral detection — the engine room of modern EDR; a concentration in G06F 21/55 points to host intrusion detection; activity in G06F 21/62 points to access control and data-loss prevention. As always, the class tells you the subject matter, not the status or the scope: whether a record is a granted patent or a pending application is the kind code's job, and how broadly a claim actually reaches is a question only the independent claim can answer. But before any of that, the G06F 21 symbol tells you the patent is about protecting computers, programs, and data against unauthorised activity — in the precise language the CPC group G06F 21/00 uses to define the field.