On July 2, 2026 a patent application published that describes cloud endpoint detection in language that, for its first three steps, will sound routine to anyone who has read a detection patent: put a sensor on the thing you want to watch, have it notice an event, and act on the event when a rule says to. Before anything else, the label that governs how to read it: this is a published application, not a granted patent. It establishes what Wiz, Inc. filed and asked an examiner to consider, not anything it can yet enforce. With that fixed, the interesting question is what the claim actually recites, and where its weight sits.
The record is US20260189464A1, "Endpoint Detection and Response Based on Aggregated Runtime Execution Data," assigned to Wiz, Inc. Its independent method claim is short and worth reading in full, because the last limitation is the one carrying the load.
A method for performing cybersecurity threat detection on a resource in a cloud computing environment, comprising: providing a sensor to the resource; configuring the sensor to detect an event in the resource from a data link layer communication; matching the event to a rule, the rule specifying a mitigation action if a condition is met; initiating the mitigation action in accordance with the rule; and including data of the event in a software bill of materials (SBOM).— Endpoint Detection and Response Based on Aggregated Runtime Execution Data, US20260189464A1
The first four steps, provide a sensor, detect an event, match it to a rule with a conditional mitigation, initiate the mitigation, describe a conventional detect-and-respond loop. The fifth is the distinguishing limitation as the claim is written: the event's data is recorded into a software bill of materials. An SBOM is normally a static, build-time inventory of a program's components; the claim repurposes it as the place runtime event data lands. On the face of the claim, that is what separates the recited method from an ordinary endpoint agent that detects and blocks without persisting the event into a component-indexed inventory.
What the dependent claims add
The dependent claims are where the coverage takes shape. One recites that the event data may include an identifier of the resource, an identifier of an application executing during the event, a URL request, an identifier of a software library or binary accessed during the event, a hash value, and a timestamp, that is, the fields that let an SBOM entry describe a runtime event rather than a build-time dependency. A further claim recites detecting an identifier of the resource in the event data held in the SBOM, inspecting the resource for a cybersecurity object, detecting another event, and initiating a remediation action based on a toxic combination in response to the object and the other event. The remediation is drawn from a familiar menu, applying a patch, modifying permissions, applying access controls, blocking IP addresses, or disabling accounts, but the antecedent is the notable part: remediation is claimed as triggered by a combination of separately detected elements, which the SBOM is what makes joinable. Other dependent claims recite terminating detection after a set period of time or a set number of events, and transmitting the SBOM to an inspection environment. The independent claim also appears in parallel non-transitory-medium and system form, the standard method/medium/system trio.
The CPC class tells you where this lands
The classification places the record squarely in network-security detection rather than cryptography. The lead security class is H04L 63/1441, the subclass for countering attacks by taking active response measures, which matches a claim that both detects and initiates mitigation. Around it sit network-monitoring and traffic-analysis subclasses, H04L 43/026 for flow-based monitoring and H04L 43/04 for producing monitoring reports, together with H04L 41/142 for using statistical methods in network management. That spread is consistent with the disclosure: this is not filed in the H04L 9/ cryptographic-mechanism family at all, because the claimed contribution is a detection-and-record pipeline, not a cipher or key scheme. In landscape terms it sits at the meeting point of endpoint detection and response and the software-supply-chain inventory the SBOM represents, with the claim's originality resting on wiring those two together.
Read against the same assignee's other filing in this drop, the coverage sorts into a pair. US20260189596A1, "Techniques for Agentless Detection of Sensitive Data on Managed Databases," is directed to a different mechanism, building data-file nodes in a security database and classifying sensitive data, and it carries a different CPC payload, including G06F 21/577 for vulnerability assessment and G06F 21/6245 for protecting personal data. One application is directed to recording runtime events for correlation; the other to modeling data at rest. They share the notion of a security database that represents the environment, but the claim sets cover distinct subject matter.
Across the wider July 2 batch, the hero claim's neighbors in the attack-countering subclass make the landscape concrete. US20260189600A1 is directed to threat detection across a collective of client networks that initiates an automated response on a rule match, sharing the H04L 63/1441 placement. US20260189576A1 is directed to edge-native detection that scores risk from a graph and pushes policy to enforcement nodes. US20260187247A1, assigned to Check Point Software Technologies, is directed to threat extraction and sandboxed emulation of downloaded files under the G06F 21/ security subclasses, and US20260189570A1 is directed to limiting privilege overreach through group-based access. These are separate filings by separate parties; cited here, they mark where the hero claim sits among its CPC neighbors rather than anything about their relative scope.
What the hero application claims, then, is narrower and more specific than "cloud detection": a sensor-based method that detects an event at the data-link layer, acts on a rule, and, as its distinguishing limitation, records the event into a software bill of materials, with dependent claims that use that record to remediate on a combination of separately observed elements. Whether the claims that ultimately issue track this published language is a question for prosecution, and the scope an examiner allows may be narrower than the disclosure reads. For the purpose of reading the record as filed, the coverage is plain on its face: the claim's originality is not in detecting or in acting, both routine, but in the place it puts the record of what it saw.
Comments
Loading comments…