Detection gets most of the attention, but detection without mitigation is just a faster way to learn you've been breached. The expensive gap in most security programs isn't finding threats — modern tools find plenty — it's the time and effort between a confirmed threat and a contained one. Every minute in that gap is a minute the attacker keeps working, and bridging it is where a lot of the real value in defense now lives.
The grant US12182266B2, "Threat mitigation system and method" (issued December 31, 2024, assigned to ReliaQuest Holdings, LLC), spans the full arc. Its CPC classifications combine the malware class G06F 21/566, the intrusion-detection classes H04L 63/1416 and H04L 63/1441, and the policy class H04L 63/20 — detection and mitigation treated as one system, not two.
“A computer-implemented method, computer program product and computing system for receiving a plurality of detection events concerning a plurality of security events occurring on a security-relevant subsystem within a computing platform; identifying two or more associated detection events included wi…”— U.S. Patent No. 12,182,266 source
The mechanism worth understanding is the integration of detection with action. A system that only detects hands off to humans, who then have to decide and execute a response — a process measured in minutes or hours. A system built for mitigation can move directly from a confirmed threat to containment: isolating a host, blocking a connection, enforcing a policy, all without waiting for the slow handoff that lets attackers operate in the gap.
For defenders, the practical takeaway is that the value of detection is bounded by the speed of response. Investing only in finding threats while leaving mitigation manual and slow is investing in better awareness of damage you can't prevent fast enough. The integration of the two is what shrinks the attacker's window.
The risk that any automated mitigation system has to manage is the cost of acting on a false positive — automatically isolating a critical server because of a misjudged alert can cause its own outage. The patent's framing across detection, intrusion analysis, and policy reflects the care this requires: mitigation has to be confident enough to act and disciplined enough not to overreact, which is the central design tension of automated response.