DCT

2:25-cv-01195

Stealthpath IP Inc v. Fortinet Inc

Log In
Key Events
Amended Complaint
complaint Intelligence

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:25-cv-01195, E.D. Tex., 03/03/2026
  • Venue Allegations: Plaintiff alleges venue is proper because Defendant Fortinet maintains a regular and established place of business in the district, its Frisco office, where it has allegedly committed acts of patent infringement through employees responsible for designing and supporting the accused technologies.
  • Core Dispute: Plaintiff alleges that Defendant's Secure SD-WAN, FortiGate, and FortiWiFi products infringe three U.S. patents related to software-defined networks and "zero trust" cybersecurity.
  • Technical Context: The technology at issue falls within the "zero trust" cybersecurity domain, a security model that assumes no user or device is trusted by default, requiring verification for every access request to protect distributed networks.
  • Key Procedural History: The currently operative First Amended Complaint was filed after an original complaint was served on December 10, 2025. Plaintiff alleges that on February 9, 2024, a U.S. Patent Office examiner cited the application that would issue as the '803 patent during the prosecution of one of Defendant's own patents, a fact that may be relevant to pre-suit knowledge for willfulness allegations. The '143 patent is a continuation of the application that issued as the '646 patent.

Case Timeline

Date Event
2017-10-06 Earliest Priority Date for '803, '646, and '143 Patents
2019-08-06 U.S. Patent No. 10,374,803 Issued
2021-03-30 U.S. Patent No. 10,965,646 Issued
2023-08-15 U.S. Patent No. 11,729,143 Issued
2024-02-09 Date Plaintiff alleges USPTO cited the '803 patent application during prosecution of a Fortinet patent
2025-12-10 Original Complaint Served; Date Plaintiff alleges Defendant's knowledge of infringement began for all patents
2026-03-03 First Amended Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,374,803 - Methods for Internet Communication Security (Issued Aug. 6, 2019)

The Invention Explained

  • Problem Addressed: The patent background describes a "need to address security threats that can arise during hypervisor-mediated communications" where virtual machines can be targeted by malware, either directly or through the hypervisor itself '803 Patent, col. 1:31-36 Compl. ¶17
  • The Patented Solution: The invention provides for a "network security layer resident in the hypervisor that authenticates and authorizes incoming communications before transmission to virtualized components" '803 Patent, col. 1:45-52 Compl. ¶17 This security layer intercepts a network packet within the hypervisor, decrypts a portion of it using a single-use key to obtain parameters, compares those parameters to expected values for authorization, and only then passes the authorized packet to the virtual device '803 Patent, col. 1:59-col. 2:5
  • Technical Importance: This approach is intended to improve security by preventing malware that exploits shortcomings in hypervisors, such as vulnerabilities in memory management, from compromising virtualized systems Compl. ¶18 '803 Patent, col. 22:49-61

Key Claims at a Glance

  • The complaint asserts at least independent Claim 1 Compl. ¶32
  • Claim 1 Elements:
    • A product for authorizing network communications in a hypervisor comprising a non-transitory computer-readable storage medium with executable program code.
    • The program code performs communication management operations comprising:
      • intercepting a first network packet in the hypervisor, the packet comprising a first higher-than-OSI layer three portion;
      • decrypting, with a single-use cryptographic key, at least a portion of the first higher-than-OSI layer three portion to obtain one or more first packet parameters;
      • authorizing the first network packet in the hypervisor by comparing the one or more first packet parameters with one or more first expected values; and
      • passing the authorized first network packet to a virtual device.

U.S. Patent No. 10,965,646 - Methods For Internet Communication Security (Issued Mar. 30, 2021)

The Invention Explained

  • Problem Addressed: The patent addresses vulnerabilities in networks that arise from "weak-links in the network security in the form of legacy systems and devices that might not be able to support advanced techniques" Compl. ¶20 This creates a need for "interfaces to immunize, or to at least limit the attendant risks of, communications between protected and unsecure networks" '646 Patent, col. 1:42-46 Compl. ¶20
  • The Patented Solution: The invention describes "bridging network communications between device networks sharing protected, trusted Ethernet-based communications with the large body of relatively unsecure legacy devices and networks" '646 Patent, col. 1:51-56 Compl. ¶21 This is achieved by receiving a network packet, establishing a secure communication pathway with a user-application on another device through a multi-step identifier exchange, confirming the packet's payload conforms to a pre-assigned data model, and then passing the payload through the secure pathway '646 Patent, col. 30:29-col. 31:9
  • Technical Importance: This technology aims to provide a specific solution for securing communications in cybersecurity environments that contain a mix of modern, protected systems and older, unsecure legacy devices Compl. ¶21

Key Claims at a Glance

  • The complaint asserts at least independent Claim 1 Compl. ¶54
  • Claim 1 Elements:
    • A product for securing communications of a plurality of networked computing devices comprising a non-transitory computer-readable storage medium with executable program code.
    • The program code performs communication management operations comprising:
      • receiving a first port-to-port network packet from a first computing device;
      • establishing a secure communication pathway with a user-application at a second computing device, which comprises sending an application identifier, receiving a second application identifier in response, and comparing the second identifier with a pre-established value;
      • confirming a payload of the first port-to-port network packet conforms to a data model pre-assigned to the pre-established value for the user-application; and
      • passing the payload to the second computing device via the secure communication pathway.

U.S. Patent No. 11,729,143 - Methods For Internet Communication Security (Issued August 15, 2023)

  • Technology Synopsis: The patent describes techniques for securing communications between networked devices by consuming a network packet to obtain its payload and destination port, confirming the payload conforms to a pre-assigned data model for that port, forming a new packet with identification codes, and sending the new packet to security software on the destination device via a secure pathway Compl. ¶24 This provides a specific method for validating and re-packaging data for secure transmission in a "zero trust" environment Compl. ¶24
  • Asserted Claims: The complaint asserts at least independent Claim 1 Compl. ¶74
  • Accused Features: The complaint alleges that Fortinet's application control sensors, which "recognize network traffic generated by a large number of applications" and "specify what action to take," infringe the '143 patent by consuming and confirming packets based on destination ports and pre-assigned data models Compl. ¶¶77-79

III. The Accused Instrumentality

Product Identification

The accused instrumentalities are Fortinet products that support Secure SD-WAN, specifically including Fortinet's FortiGate and FortiWiFi products (collectively, the "Accused Products") Compl. ¶26

Functionality and Market Context

The complaint describes the Accused Products as appliances that "integrate firewalling, SD-WAN, and security in one appliance" for building secure networks Compl. ¶34 A specific virtual appliance, the FortiGate-VM, is alleged to be "executable in a hypervisor" and runs on platforms such as the Nutanix Acropolis Hypervisor (AHV) Compl. ¶35 The complaint alleges these products provide functions including deep packet inspection, SSL inspection, threat detection, application control, and secure remote access (Compl. ¶36; Compl. ¶37; Compl. ¶38; Compl. ¶39; Compl. ¶40; Compl. ¶41). The complaint includes a marketing graphic indicating that Gartner has recognized Fortinet as a "Magic Quadrant™ Leader" for both Network Firewalls and SD-WAN, suggesting a significant market position Compl. p. 10

IV. Analysis of Infringement Allegations

'803 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
intercepting a first network packet in the hypervisor, the first network packet comprising a first higher-than-OSI layer three portion The Accused Products, particularly the FortiGate-VM running on a hypervisor, allegedly intercept encrypted packets from an HTTPS session, which comprise a higher-than-OSI layer three portion. A provided diagram illustrates this interception step. Compl. ¶36 Compl. p. 13 ¶36 col. 1:60-61
decrypting, with a single-use cryptographic key, at least a portion of the first higher-than-OSI layer three portion to obtain one or more first packet parameters The Accused Products allegedly perform decryption of SSL traffic for inspection. The complaint alleges this uses a single-use key, citing Fortinet's documentation that states "[e]very key should only be generated for a specific single-use encrypt/decrypt purpose." Compl. ¶38 Compl. ¶39 ¶38; ¶39 col. 1:62-65
authorizing the first network packet in the hypervisor, comprising: comparing the one or more first packet parameters with one or more first expected values After decryption, the Accused Products allegedly perform "Content scanning" and "Protocol enforcement," which involves comparing parameters of the traffic (e.g., protocol and port) against expected or allowed values to authorize or block the traffic. Compl. ¶40 ¶40 col. 2:1-3
passing the authorized first network packet to a virtual device After authorization, the Accused Products allegedly re-encrypt the packet and pass it to its destination, such as a web server, which may be a virtual device. Compl. ¶41 Compl. p. 17 ¶41 col. 2:4-5

Identified Points of Contention

  • Scope Questions: A primary question may be whether the "in a hypervisor" limitation restricts infringement solely to Defendant's virtual appliances (e.g., FortiGate-VM). The infringement analysis may need to establish whether the physical FortiGate appliances contain or operate within a functional equivalent of a hypervisor as contemplated by the patent.
  • Technical Questions: The complaint's evidence for the "single-use cryptographic key" element relies on a statement of best practice from Defendant's documentation Compl. ¶39 A point of contention may be whether the Accused Products actually implement this feature as required by the claim, or if their key management differs in a material way.

'646 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
receiving a first port-to-port network packet from a first computing device The Accused Products are alleged to receive network packets, such as from a "Network user," for deep packet inspection. Compl. ¶57 ¶57 col. 34:49-51
establishing a secure communication pathway with a user-application at a second computing device... comprising: sending an application identifier...; receiving... a second application identifier...; and comparing the second application identifier with a pre-established value... The Accused Products allegedly establish a secure pathway using a TLS handshake, where a server certificate ("first application identifier") is sent, and a client certificate/key ("second application identifier") is received in response and verified. Compl. ¶¶58-60 ¶¶58-60 col. 35:34-40
confirming a payload of the first port-to-port network packet conforms to a data model pre-assigned to the pre-established value for the user-application The Accused Products allegedly perform a "Port enforcement check," where an IPS engine confirms that a detected application's traffic (the payload) is running on its standard TCP/IP port (the pre-assigned data model). Compl. ¶61 ¶61 col. 39:9-15
passing the payload to the second computing device via the secure communication pathway After inspection and validation, the payload is allegedly passed to the second computing device (e.g., a web server or other endpoint) through the established secure SD-WAN pathway. Compl. ¶62 ¶62 col. 39:20-22

Identified Points of Contention

  • Definitional Questions: The analysis may focus on whether a standard digital certificate used in a TLS handshake qualifies as the "application identifier" as that term is used in the patent. The court may need to determine if the patent requires a more specific, proprietary identifier.
  • Technical Questions: A question for the court may be whether the "Port enforcement check" functionality Compl. ¶61 performs the specific step of confirming a payload "conforms to a data model pre-assigned to the pre-established value for the user-application," or if it performs a more general policy check that is technically distinct from the claimed step. The diagram of a TLS exchange illustrates the alleged multi-step process for establishing a secure pathway Compl. p. 24

V. Key Claim Terms for Construction

For U.S. Patent No. 10,374,803:

  • The Term: "in a hypervisor"
  • Context and Importance: This term appears in the preamble and body of Claim 1 and is central to the invention's described environment. Its construction is critical because it may determine whether the infringement case is limited to Defendant's virtual appliances (FortiGate-VM) or can extend to its much larger portfolio of physical hardware appliances, which would have significant implications for the potential scope of infringement and damages.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: Practitioners may argue that the term should be interpreted functionally to cover any environment that provides virtualization and intercepts traffic between a host and a guest system, even if not commercially marketed as a "hypervisor." The patent describes the invention as providing a "network security layer" '803 Patent, col. 1:45-46, a concept that could arguably be implemented in hardware.
    • Evidence for a Narrower Interpretation: The patent's background explicitly identifies security threats in "hypervisor-mediated communications" as the problem being solved '803 Patent, col. 1:31-36 The detailed description and claims consistently situate the invention's operations "in the hypervisor," suggesting the term is not merely environmental but integral to the claimed method.

For U.S. Patent No. 10,965,646:

  • The Term: "application identifier"
  • Context and Importance: This term is a key component of the "establishing a secure communication pathway" step of Claim 1. The complaint maps this term to digital certificates in a TLS handshake Compl. ¶¶58-60 The viability of this infringement theory may depend on whether a standard X.509 certificate is construed to be an "application identifier."
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent does not explicitly limit the term to a proprietary code. The specification notes that the identifier may be used for a "user-application" '646 Patent, claim 1, a function that a digital certificate performs by identifying and authenticating an application on a server or client.
    • Evidence for a Narrower Interpretation: The patent frequently discusses sending and comparing "nonpublic" identification codes '646 Patent, claim 15 Practitioners may argue this language, present in dependent claims and the specification, suggests that the independent claim's "application identifier" should also be construed as a non-public, proprietary value distinct from a publicly verifiable digital certificate.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges active inducement, stating that Defendant provides instructions, support, and "regularly-scheduled webinars" that instruct customers on how to use the Accused Products in a manner that directly infringes the asserted patents Compl. ¶44 Compl. ¶65 The complaint also alleges contributory infringement on the basis that the Accused Products are "especially made and/or adapted for infringement" and are not staple articles of commerce Compl. ¶45 Compl. ¶66
  • Willful Infringement: The complaint alleges willfulness based on both pre-suit and post-suit knowledge. Post-suit knowledge is based on the service of the original complaint on December 10, 2025 Compl. ¶48 The allegation of pre-suit knowledge is based on a specific event: on February 9, 2024, the U.S. Patent Office examiner in the prosecution of Fortinet's own U.S. Patent No. 12,063,207 allegedly cited the U.S. patent application that would issue as the '803 patent Compl. ¶47

VII. Analyst's Conclusion: Key Questions for the Case

  • A central issue will be one of claim scope and environment: can the limitation "in a hypervisor" in the '803 patent be construed to cover the operation of Defendant's physical network appliances, or does it strictly limit the infringement analysis to Defendant's virtual machine products?
  • A key question of technical definition will be whether standard, widely-used security mechanisms, such as TLS handshakes and digital certificates, meet the specific requirements of patent terms like "application identifier" and "single-use cryptographic key," or if the patents require a more distinct, proprietary implementation not present in the accused functionality.
  • A critical factual question for willfulness will be whether the alleged citation of the '803 patent's application by a USPTO examiner during the prosecution of Defendant's own patent constitutes pre-suit knowledge of the asserted patent and its infringement, which could substantially impact potential damages.