BitSight v. NormShield: Cybersecurity Patent Dispute Ends in Dismissal

Case Overview

In a closely watched cybersecurity patent infringement dispute, BitSight Technologies, Inc. and NormShield, Inc. (operating as Black Kite) reached a mutual dismissal with prejudice in February 2025, ending a 527-day legal battle before Massachusetts District Court. Filed on September 5, 2023, under Case No. 1:23-cv-12055, the action centered on five U.S. patents covering information technology security assessment, organizational behavior-based risk ratings, and security risk management — technologies sitting at the commercial heart of the rapidly growing third-party cyber risk intelligence market.

The Parties

Patents at Issue

This action involved five U.S. patents spanning cybersecurity assessment methodologies, representing BitSight’s core technological infrastructure:

• • US11652834B2 — Information technology security assessment
• • US9973524B2 — Organizational behavior-based risk ratings
• • US9438615B2 — Security risk management methods
• • US10805331B2 — IT security assessment systems
• • US11777976B2 — Security risk management frameworks

The Verdict & Legal Analysis

Outcome

The action concluded through a joint stipulation of dismissal with prejudice, meaning all claims and counterclaims asserted by both BitSight and Black Kite were permanently extinguished. Neither party acknowledged liability. Each party bears its own attorneys’ fees and costs — a standard term in negotiated resolutions that signals neither side achieved a clearly dominant litigation posture sufficient to justify a fee-shifting motion under 35 U.S.C. § 285.

No damages award was issued. No injunctive relief was granted. Specific financial settlement terms, if any exist in a confidential side agreement, were not disclosed in public court filings.

Key Legal Issues

The formal verdict cause is classified as an infringement action, with BitSight asserting that Black Kite’s cybersecurity risk assessment products infringed claims across all five asserted patents. The presence of counterclaims — referenced in the dismissal stipulation — suggests Black Kite mounted affirmative defenses that likely included invalidity challenges, non-infringement positions, or potentially counterclaims for declaratory judgment.

This case reinforces several important dynamics in cybersecurity patent litigation:

• • Claim Scope in Algorithmic Patents: Patents covering behavioral analytics and risk scoring methodologies face inherent claim construction complexity. Defining the boundaries of software-implemented claims in cybersecurity contexts — particularly around what constitutes an “assessment system” or a “risk rating” method — often creates litigation uncertainty that incentivizes settlement.
• • Multi-Patent Assertion Strategies: BitSight’s assertion of five patents simultaneously reflects a portfolio enforcement approach designed to maximize claim coverage and complicate invalidity strategies. However, maintaining five active patent disputes through discovery and claim construction is resource-intensive, creating bilateral settlement pressure over time.
• • No Admitted Liability: The stipulation explicitly states it is “not an acknowledgement of liability of any Party,” preserving both parties’ reputational and competitive positions — a critical term for companies operating in trust-sensitive cybersecurity markets.