  United States Court of Appeals
      for the Federal Circuit
                ______________________

                   FINJAN, INC.,
                   Plaintiff-Appellee

                           v.

            BLUE COAT SYSTEMS, INC.,
                Defendant-Appellant
               ______________________

                      2016-2520
                ______________________

   Appeal from the United States District Court for the
Northern District of California in No. 5:13-cv-03999-BLF,
Judge Beth Labson Freeman.
                ______________________

               Decided: January 10, 2018
                ______________________

    PAUL J. ANDRE, Kramer Levin Naftalis & Frankel
LLP, Menlo Park, CA, argued for plaintiff-appellee. Also
represented by JAMES R. HANNAH, LISA KOBIALKA.

    MARK A. LEMLEY, Durie Tangri LLP, San Francisco,
CA, argued for defendant-appellant. Also represented by
SONALI DEEKSHA MAITRA, SONAL NARESH MEHTA,
CLEMENT ROBERTS; OLIVIA M. KIM, EDWARD POPLAWSKI,
Wilson, Sonsini, Goodrich & Rosati, P.C., Los Angeles,
CA.
                ______________________
2                     FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



     Before DYK, LINN, and HUGHES, Circuit Judges.
DYK, Circuit Judge.
    A jury found Blue Coat Systems, Inc. (“Blue Coat”) li-
able for infringement of four patents owned by Finjan,
Inc. (“Finjan”) and awarded approximately $39.5 million
in reasonable royalty damages. After trial, the district
court concluded that the ’844 patent was patent-eligible
under 35 U.S.C. § 101 and denied Blue Coat’s post-trial
motions for judgment as a matter of law (“JMOL”) and a
new trial. Blue Coat appeals.
     We find no error in the district court’s subject matter
eligibility determination as to the ’844 patent and agree
that substantial evidence supports the jury’s finding of
infringement of the ’844 and ’731 patents. However, we
conclude that Blue Coat was entitled to JMOL of non-
infringement for the ’968 patent because the accused
products do not perform the claimed “policy index” limita-
tion. On appeal, Blue Coat does not challenge the verdict
of infringement for the ’633 patent.
    With respect to damages, we affirm the award with
respect to the ’731 and ’633 patents. We vacate the dam-
ages award for the ’968 patent, as there was no infringe-
ment. With respect to the ’844 patent, we agree with Blue
Coat that Finjan failed to apportion damages to the
infringing functionality and that the $8-per-user royalty
rate was unsupported by substantial evidence.
   We therefore affirm-in-part, reverse-in-part, and re-
mand to the district court for further consideration of the
damages issue as to the ’844 patent.
                       BACKGROUND
    On August 28, 2013, Finjan brought suit against Blue
Coat in the Northern District of California for infringe-
ment of patents owned by Finjan and directed to identify-
ing and protecting against malware. Four of those patents
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.                 3



are at issue on appeal. Claims 1, 7, 11, 14, and 41 of U.S.
Patent No. 6,154,844 (“the ’844 patent”) recite a system
and method for providing computer security by attaching
a security profile to a downloadable. Claims 1 and 17 of
U.S. Patent No. 7,418,731 (“the ’731 patent”) recite a
system and method for providing computer security at a
network gateway by comparing security profiles associat-
ed with requested files to the security policies of request-
ing users. Claim 1 of U.S. Patent No. 6,965,968 (“the ’968
patent”) recites a “policy-based cache manager” that
indicates the allowability of cached files under a plurality
of user security policies. Claim 14 of U.S Patent No.
7,647,633 (“the ’633 patent”) relates to a system and
method for using “mobile code runtime monitoring” to
protect against malicious downloadables.
    After a trial, the jury found that Blue Coat infringed
these four patents and awarded Finjan approximately
$39.5 million for Blue Coat’s infringement: $24 million for
the ’844 patent, $6 million for the ’731 patent, $7.75
million for the ’968 patent, and $1,666,700 for the ’633
patent. After a bench trial, the district court concluded
that the ’844 patent is directed to patent-eligible subject
matter under 35 U.S.C. § 101.
    Thereafter, the district court denied Blue Coat’s mo-
tions for judgment as a matter of law and a new trial,
concluding that Finjan had provided substantial evidence
to support each finding of infringement and the damages
award. Blue Coat appeals the district court’s rulings on
subject matter eligibility of the ’844 patent; infringement
of the ’844, ’731, and ’968 patents; and damages for the
’844, ’731, ’968, and ’633 patents. We have jurisdiction
pursuant to 28 U.S.C. § 1295(a)(1).
4                     FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



                        DISCUSSION
      I. Subject Matter Eligibility of the ’844 Patent
    We first address subject matter eligibility with respect
to the ’844 patent. We review the district court’s decision
de novo. McRO, Inc. v. Bandai Namco Games Am. Inc.,
837 F.3d 1299, 1311 (Fed. Cir. 2016).
     Section 101 provides that a patent may be obtained
for “any new and useful process, machine, manufacture,
or composition of matter, or any new and useful improve-
ment thereof.” 35 U.S.C. § 101. The Supreme Court has
long recognized, however, that § 101 implicitly excludes
“laws of nature, natural phenomena, and abstract ideas”
from the realm of patent-eligible subject matter, as mo-
nopolization of these “basic tools of scientific and techno-
logical work” would stifle the very innovation that the
patent system aims to promote. Alice Corp. v. CLS Bank
Int’l, 134 S. Ct. 2347, 2354 (2014) (quoting Ass’n for
Molecular Pathology v. Myriad Genetics, Inc., 133 S. Ct.
2107, 2116 (2013)); see also Mayo Collaborative Servs. v.
Prometheus Labs., Inc., 132 S. Ct. 1289, 1294-97 (2012);
Diamond v. Diehr, 450 U.S. 175, 185 (1981).
    The Supreme Court has instructed us to use a two-
step framework to “distinguish[] patents that claim laws
of nature, natural phenomena, and abstract ideas from
those that claim patent-eligible applications of those
concepts.” Alice, 134 S. Ct. at 2355. At the first step, we
determine whether the claims at issue are “directed to” a
patent-ineligible concept. Id. If they are, we then “consid-
er the elements of each claim both individually and ‘as an
ordered combination’ to determine whether the additional
elements ‘transform the nature of the claim’ into a patent-
eligible application.” Id. (quoting Mayo, 132 S. Ct. at
1298). This is the search for an “inventive concept”—
something sufficient to ensure that the claim amounts to
“significantly more” than the abstract idea itself. Id.
(quoting Mayo, 132 S.Ct. at 1294).
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.                 5



    Starting at step one, we must first examine the ’844
patent’s “claimed advance” to determine whether the
claims are directed to an abstract idea. Affinity Labs of
Tex., LLC v. DIRECTV, LLC, 838 F.3d 1253, 1257 (Fed.
Cir. 2016). In cases involving software innovations, this
inquiry often turns on whether the claims focus on “the
specific asserted improvement in computer capabili-
ties . . . or, instead, on a process that qualifies as an
‘abstract idea’ for which computers are invoked merely as
a tool.” Enfish, LLC v. Microsoft Corp., 822 F.3d 1327,
1335–36 (Fed. Cir. 2016).
    The ’844 patent is directed to a method of providing
computer security by scanning a downloadable and at-
taching the results of that scan to the downloadable itself
in the form of a “security profile.” Claim 1 of the ’844
patent, which the district court found representative for
§ 101 purposes, reads:
    1. A method comprising:
    receiving by an inspector a Downloadable;
    generating by the inspector a first Downloadable
    security profile that identifies suspicious code in
    the received Downloadable; and
    linking by the inspector the first Downloadable
    security profile to the Downloadable before a web
    server makes the Downloadable available to web
    clients.
’844 patent, col. 11 ll. 11–21. At claim construction, the
parties agreed that “Downloadable” should be construed
to mean “an executable application program, which is
downloaded from a source computer and run on the
destination computer.” Additionally, the district court
construed “Downloadable security profile that identifies
suspicious code in the received Downloadable” to mean “a
profile that identifies code in the received Downloadable
that performs hostile or potentially hostile operations.”
6                      FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



     We determined in Intellectual Ventures I LLC v. Sy-
mantec Corp., 838 F.3d 1307, 1319 (Fed. Cir. 2016), that
“[b]y itself, virus screening is well-known and constitutes
an abstract idea.” We also found that performing the virus
scan on an intermediary computer—so as to ensure that
files are scanned before they can reach a user’s comput-
er—is a “perfectly conventional” approach and is also
abstract. Id. at 1321. Here the claimed method does a
good deal more.
     Claim 1 of the ’844 patent scans a downloadable and
attaches the virus scan results to the downloadable in the
form of a newly generated file: a “security profile that
identifies suspicious code in the received Downloadable.”
The district court’s claim construction decision emphasiz-
es that this “identif[y] suspicious code” limitation can only
be satisfied if the security profile includes “details about
the suspicious code in the received downloadable, such
as . . . ‘all potentially hostile or suspicious code operations
that may be attempted by the Downloadable.’” Finjan,
Inc. v. Blue Coat Sys., Inc., No. 13-CV-03999-BLF, 2014
WL 5361976, at *9 (N.D. Cal. Oct. 20, 2014). The security
profile must include the information about potentially
hostile operations produced by a “behavior-based” virus
scan. This operation is distinguished from traditional,
“code-matching” virus scans that are limited to recogniz-
ing the presence of previously-identified viruses, typically
by comparing the code in a downloadable to a database of
known suspicious code. The question, then, is whether
this behavior-based virus scan in the ’844 patent consti-
tutes an improvement in computer functionality. We
think it does.
    The “behavior-based” approach to virus scanning was
pioneered by Finjan and is disclosed in the ’844 patent’s
specification. In contrast to traditional “code-matching”
systems, which simply look for the presence of known
viruses, “behavior-based” scans can analyze a down-
loadable’s code and determine whether it performs poten-
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.                 7



tially dangerous or unwanted operations—such as renam-
ing or deleting files. Because security profiles communi-
cate the granular information about potentially suspicious
code made available by behavior-based scans, they can be
used to protect against previously unknown viruses as
well as “obfuscated code”—known viruses that have been
cosmetically modified to avoid detection by code-matching
virus scans.
    The security profile approach also enables more flexi-
ble and nuanced virus filtering. After an inspector gener-
ates a security profile for a downloadable, a user’s
computer can determine whether to access that down-
loadable by reviewing its security profile according to the
rules in whatever “security policy” is associated with the
user. Administrators can easily tailor access by applying
different security policies to different users or types of
users. And having the security profile include information
about particular potential threats enables administrators
to craft security policies with highly granular rules and to
alter those security policies in response to evolving
threats.
    Our cases confirm that software-based innovations
can make “non-abstract improvements to computer tech-
nology” and be deemed patent-eligible subject matter at
step 1. Enfish, 822 F.3d at 1335–36. In Enfish, for in-
stance, the court determined that claims related to a
database architecture that used a new, self-referential
logical table were non-abstract because they focused on
“an improvement to computer functionality itself, not on
economic or other tasks for which a computer is used in
its ordinary capacity.” Id. at 1336. Indeed, the self-
referential database found patent eligible in Enfish did
more than allow computers to perform familiar tasks with
greater speed and efficiency; it actually permitted users to
launch and construct databases in a new way. While
deployment of a traditional relational database involved
“extensive modeling and configuration of the various
8                     FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



tables and relationships in advance of launching the
database,” Enfish’s self-referential database could be
launched “with no or only minimal column definitions”
and configured and adapted “on-the-fly.” Id. at 1333.
     Similarly, the method of claim 1 employs a new kind
of file that enables a computer security system to do
things it could not do before. The security profile approach
allows access to be tailored for different users and ensures
that threats are identified before a file reaches a user’s
computer. The fact that the security profile “identifies
suspicious code” allows the system to accumulate and
utilize newly available, behavior-based information about
potential threats. The asserted claims are therefore
directed to a non-abstract improvement in computer
functionality, rather than the abstract idea of computer
security writ large.
    Even accepting that the claims are directed to a new
idea, Blue Coat argues that they remain abstract because
they do not sufficiently describe how to implement that
idea. To support this argument, Blue Coat points to
Apple, Inc. v. Ameranth, Inc., where we invalidated claims
related to a computer system that can generate a second
menu from a first menu based on a selection of items on
the first menu. 842 F.3d 1229, 1240–41 (Fed. Cir. 2016).
In that case, we held that the patents were directed to an
abstract idea because they “d[id] not claim a particular
way of programming or designing the software . . . but
instead merely claim the resulting systems.” Id. at 1241.
Blue Coat also relies on Affinity Labs, where we held that
a claim related to wirelessly communicating regional
broadcast content to an out-of-region recipient was ab-
stract and patent ineligible because there was nothing in
the claim “directed to how to implement [the idea]. Ra-
ther, the claim is drawn to the idea itself.” 838 F.3d at
1258. And Blue Coat also notes that, in Intellectual Ven-
tures, we found claims directed to email filtering to be
abstract and patent ineligible when there is “no re-
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.                  9



striction on how the result is accomplished . . . [and] [t]he
mechanism . . . is not described.” 838 F.3d 1307, 1316
(Fed. Cir. 2016) (quoting Internet Patents Corp. v. Active
Network, Inc., 790 F.3d 1343, 1348 (Fed. Cir. 2015)).
    Apple, Affinity Labs, and other similar cases hearken
back to a foundational patent law principle: that a result,
even an innovative result, is not itself patentable. See
Corning v. Burden, 56 U.S. 252, 268 (1853) (explaining
that patents are granted “for the discovery or invention of
some practicable method or means of producing a benefi-
cial result or effect . . . and not for the result or effect
itself”); O’Reilly v. Morse, 56 U.S. 62, 112–113 (1853)
(invalidating a claim that purported to cover all uses of
electromagnetism for which “the result is the making or
printing intelligible characters, signs, or letters at a
distance” as “too broad, and not warranted by law”).
     Here, the claims recite more than a mere result. In-
stead, they recite specific steps—generating a security
profile that identifies suspicious code and linking it to a
downloadable—that accomplish the desired result. More-
over, there is no contention that the only thing disclosed
is the result and not an inventive arrangement for accom-
plishing the result. There is no need to set forth a further
inventive concept for implementing the invention. The
idea is non-abstract and there is no need to proceed to
step two of Alice.
                        II. Infringement
    At trial, the jury found that Blue Coat’s products in-
fringed the ’844, ’731, and ’968 patents. The district court
denied Blue Coat’s post-trial motions for judgment as a
matter of law and a new trial, finding that Finjan had
provided substantial evidence to support each finding of
infringement and that the jury verdict was not against
the weight of the evidence. We review denials of motions
for JMOL de novo and motions for new trial for abuse of
10                     FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



discretion. Revolution Eyewear, Inc. v. Aspex Eyewear,
Inc., 563 F.3d 1358, 1370–71 (Fed. Cir. 2009).
                       A. ’844 Patent
    Blue Coat first argues that the district court should
have granted JMOL of non-infringement as to the assert-
ed claims in the ’844 patent because substantial evidence
did not support the jury verdict. Specifically, Blue Coat
contends that the asserted claims, requiring linking a
security profile to a downloadable “before a web server
makes the Downloadable available to web clients,” can
only be infringed by a server-side product that evaluates
content before it is published to the Internet in the first
place. Blue Coat’s product, WebPulse, is a cloud-based
service that provides information about downloadables to
a customer’s network gateway in order to help the net-
work gateway determine whether a particular down-
loadable can be accessed by a specific end user. Because
WebPulse only evaluates downloadables that are already
publicly available on the Internet, Blue Coat argues that
it does not infringe.
     Blue Coat made no request for a claim construction
that would require linking the security profile to the
downloadable before the downloadable is placed on the
Internet. Blue Coat cannot raise the claim construction
issue for the first time in post-trial motions: “it is too late
at the JMOL stage to argue for or adopt a new and more
detailed interpretation of the claim language and test the
jury verdict by that new and more detailed interpreta-
tion.” Hewlett-Packard Co. v. Mustek Sys., Inc., 340 F.3d
1314, 1321 (Fed. Cir. 2003). Under such circumstances,
“the question for the trial court is limited to whether
substantial evidence supports the jury’s verdict under the
issued construction.” Wi-Lan, Inc. v. Apple, Inc., 811 F.3d
455, 465 (Fed. Cir. 2016). Here, the claim, as construed by
the district court, requires “linking by the inspector the
first Downloadable security profile to the Downloadable
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.                 11



before [a/the] non-network gateway web server make[s]
the Downloadable available to web clients.” ’844 patent,
col. 11 ll. 18-20; J.A. 25. The jury was instructed to apply
this construction.
    It was reasonable for the jury to interpret “web cli-
ents” in this context to refer to the specific web clients
protected by the claimed system. Likewise, the limitation
requiring that linking occur before a downloadable is
“ma[de] . . . available to web clients” could reasonably be
understood to require that linking occur at some point
before users are permitted to access that downloadable—
but not necessarily before the downloadable is made
available on the Internet. Blue Coat concedes that, at the
time a security profile is linked, the “particular web client
cannot yet receive the downloadable—but the web serv-
er has made it available . . . .” Reply Br. 9. Given the
undisputed evidence that WebPulse links security profiles
to downloadables before downloadables can be received by
users of the service, we find that the ’844 infringement
verdict was supported by substantial evidence.
                         B. ’731 Patent
    We next consider Blue Coat’s claim that it was enti-
tled to JMOL of non-infringement as to the asserted
claims of the ’731 patent. The ’731 patent is directed to a
computer gateway that protects a private intranet from
malicious software embedded in webpages on the public
Internet. 1 The claimed gateway operates by scanning



    1   Claim 1 of the ’731 patent reads:
    1. A computer gateway for an intranet of comput-
    ers, comprising:
        a scanner for scanning incoming files from the
        Internet and deriving security profiles for the
        incoming files, wherein each of the security
12                      FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



potentially malicious files and creating “security profiles”
that each comprise “a list of computer commands that the
file is programmed to perform.” ’731 patent, col. 4 ll. 47–
48. Claim 17 further specifies that the security profile
include “a list of at least one computer command that the
retrieved file is programmed to perform.” ’731 patent,
col. 13 ll. 7–8. Once these security profiles have been
generated, they can be compared with the security policy
associated with a given user in order to decide whether
the file should be provided to that user.
    Blue Coat argues that the ’731 patent was not in-
fringed as a matter of law because the “security profiles”
created by the accused product do not contain the requi-


         profiles comprises a list of computer com-
         mands that a corresponding one of the incom-
         ing files is programmed to perform;
         a file cache for storing files that have been
         scanned by the scanner for future access,
         wherein each of the stored files is indexed by a
         file identifier; and
         a security profile cache for storing the security
         profiles derived by the scanner, wherein each
         of the security profiles is indexed in the secu-
         rity profile cache by a file identifier associated
         with a corresponding file stored in the file
         cache; and
         a security policy cache for storing security pol-
         icies for intranet computers within the intra-
         net, the security policies each including a list
         of restrictions for files that are transmitted to
         a corresponding subset of the intranet com-
         puters.
     ’731 patent, col. 11 ll. 35–55.
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.               13



site “list of computer commands.” Because Blue Coat did
not request a construction of the “list of commands” term,
we apply the ordinary meaning. We find that substantial
evidence supports the jury’s finding of infringement.
     At trial, Finjan presented evidence demonstrating
that the accused product creates a new file called “cook-
ie2” each time it scans an incoming file for potential
malware. Cookie2 comprises a set of fields, each field
representing various characteristics about the down-
loadable file. Fields 78–80 of Cookie2 represent certain
commands and show whether those commands—such as
eval(), unescape(), and document.write()—appear in the
incoming file. In fields 78–80, an integer represents the
number of times each command appears. Finjan’s expert,
Dr. Mitzenmacher, testified that the data contained in
fields 78–80 “is clearly a list of computer commands.” J.A.
40383.
     Blue Coat argues that this is not enough and that the
“list of commands” limitation cannot be satisfied by “an
identifier of a type of command the system should watch
for.” Appellant Br. 34. But the claim language simply
requires that the security profile contain “a list of com-
puter commands that a corresponding one of the incoming
files is programmed to perform.” It does not mandate any
particular representation of that information—much less
require that the commands be listed in the form of exe-
cutable code. Dr. Mitzenmacher testified at trial that the
integers in fields 78–80 are “clearly a list of computer
commands” because “those numbers determine whether
or not those commands are in the security profile.” J.A.
40383–84. He also notes that “there are many ways of
representing a list [of computer commands], including the
way it is represented here.” J.A. 40384. Substantial
evidence supports the jury’s implied finding that the “list
of commands” limitation is satisfied by the integers in
Fields 78–80 of Cookie2, and the patent is infringed.
14                    FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



                       C. ’968 Patent
    Blue Coat also argues that it was entitled to JMOL of
non-infringement with respect to the ’968 patent because
Finjan failed to introduce substantial evidence that the
accused products implement the claimed “policy index.”
We agree.
    The ’968 patent is directed to a “policy-based” cache
manager that can efficiently manage cached content
according to a plurality of security policies. The patentee
agrees that a “policy” is a rule or set of rules that deter-
mines whether a piece of content can be accessed by a
user. Different policies can apply to different users, and
the decision of whether to let a user access content is
made by comparing the content’s security profile with the
policy governing the user’s access. Thus, the policy based
cache manager in the ’968 patent is a data structure that
keeps track of whether content is permitted under various
policies. Claim 1, the sole asserted claim, is reproduced
below, with key language underlined:
     1. A policy-based cache manager, comprising:
        a memory storing a cache of digital con-
        tent, a plurality of policies, and a policy
        index to the cache contents, the policy in-
        dex including entries that relate cache
        content and policies by indicating cache
        content that is known to be allowable rela-
        tive to a given policy, for each of a plurali-
        ty of policies;
        a content scanner, communicatively cou-
        pled with said memory, for scanning a dig-
        ital content received, to derive a
        corresponding content profile; and
        a content evaluator, communicatively cou-
        pled with said memory, for determining
        whether a given digital content is allowa-
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.                15



        ble relative to a given policy, based on the
        content profile, the results of which are
        saved as entries in the policy index.
’968 patent col. 9 ll. 47–62. At claim construction, the
parties stipulated that “policy index” means “a data
structure indicating allowability of cached content rela-
tive to a plurality of policies.” The jury was instructed to
apply this construction. Once again, we test the jury’s
infringement verdict based on this claim language and
claim construction. Hewlett-Packard Co., 340 F.3d at
1320–21.
    Trial testimony demonstrated that the accused prod-
uct, Proxy SG, is a gateway between an intranet of com-
puters and the Internet at large. Every time a user
requests a file, Proxy SG will analyze that file and deter-
mine whether access is permitted under the user’s securi-
ty policy. As Proxy SG evaluates a file, it can cache the
results of individual rules within a policy and use that
information to speed up the process of making an ulti-
mate policy decision. Early in its analysis, for instance,
Proxy SG can check the “category” of the file and then
determine whether the user’s policy has any rules related
to the “category” field. Proxy SG can then store “the
evaluations of the parts of the rules that deal with this
category field . . . . So you don’t have to reevaluate those
conditions again.” J.A. 40327–28. As Finjan’s expert
expressly acknowledged, however, Proxy SG does not save
final decisions about whether content can be accessed by
users subject to a given policy. It simply stores the evalu-
ation of each individual rule that goes into making an
ultimate policy decision. This is not what the claim lan-
guage requires. The policy index claimed in the ’968
patent must store the “results” of a content evaluator’s
determination of “whether a given digital content is
allowable relative to a given policy.”
16                    FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



    At summary judgment, the district court agreed that
this claim language requires the policy index to store final
allowability determinations and noted that “Defendant’s
argument would likely prevail if all policies consist of
multiple rules or conditions.” Finjan, Inc. v. Blue Coat
Sys., Inc., No. 13-CV-03999-BLF, 2015 WL 3630000, at *9
(N.D. Cal. June 2, 2015). The court nevertheless declined
to grant summary judgement because “the ’968 patent
specifically provides that a policy can be just one rule.” Id.
If Proxy SG saved the results of applying each rule that
makes up a one-rule policy, it would be saving final al-
lowability determinations for a plurality of policies and
thus infringing. The district court therefore gave Finjan
the opportunity to prove at trial that “the Proxy SG policy
cache contains a number of condition evaluations, each of
which is determinative of whether a file is allowable
relative to one of a plurality of single condition policies.”
Id.
    At trial, Finjan made no such showing. There was no
evidence indicating that the condition determinations
stored by Proxy SG are final allowability decisions for
users governed by single-rule policies. Indeed, Finjan’s
expert acknowledged that Proxy SG never saves final
allowability determinations and must instead re-evaluate
the allowability of content each time it is requested. It is
therefore clear that the jury’s infringement verdict was
not supported by substantial evidence.
    Because Finjan failed to present evidence that the ac-
cused product ever stores final allowability determina-
tions, Blue Coat was entitled to JMOL of non-
infringement.
                        III. Damages
    We now turn to Blue Coat’s damages arguments with
respect to the ’844, ’731, and ’633 patents. The starting
point is 35 U.S.C. § 284, which limits damages to those
“adequate to compensate for the infringement.” Two
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.                17



categories of compensation for infringement are the
patentee’s lost profits and the “reasonable royalty he
would have received through arms-length bargaining.”
Lucent Techs., Inc. v. Gateway, Inc., 580 F.3d 1301, 1324
(Fed. Cir. 2009).
     The only measure of damages at issue in this case is a
reasonable royalty, which “seeks to compensate the pa-
tentee . . . for its lost opportunity to obtain a reasonable
royalty that the infringer would have been willing to pay
if it had been barred from infringing.” AstraZeneca AB v.
Apotex Corp., 782 F.3d 1324, 1334 (Fed. Cir. 2015) (citing
Lucent Techs., 580 F.3d at 1325).
                         A. ’844 Patent
    Blue Coat first argues that, in calculating a royalty
base, Finjan failed to apportion damages to the infringing
functionality. We agree.
    When the accused technology does not make up the
whole of the accused product, apportionment is required.
“[T]he ultimate combination of royalty base and royalty
rate must reflect the value attributable to the infringing
features of the product, and no more.” Ericsson, Inc. v. D–
Link Sys., Inc., 773 F.3d 1201, 1226 (Fed. Cir. 2014); see
also Mentor Graphics v. EVE-USA, 870 F.3d 1298, 1299
(Fed. Cir. 2017) (order denying rehearing en banc)
(“[W]here an infringing product is a multi-component
product with patented and unpatented components,
apportionment is required.”); VirnetX, Inc. v. Cisco Sys.,
Inc., 767 F.3d 1308, 1326 (Fed. Cir. 2014) (“No matter
what the form of the royalty, a patentee must take care to
seek only those damages attributable to the infringing
features.”). In such cases, the patentee must “give evi-
dence tending to separate or apportion the [infringer]'s
profits and the patentee's damages between the patented
feature and the unpatented features, and such evidence
must be reliable and tangible, and not conjectural or
speculative.” Garretson v. Clark, 111 U.S. 120, 121 (1884).
18                    FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



Finjan, as the present patent holder, had the burden of
proving damages by a preponderance of the evidence.
    WebPulse, the infringing product, is a cloud-based
system that associates URLs with over eighty different
categories, including pornography, gambling, shopping,
social networking, and “suspicious”—which is a category
meant to identify potential malware. WebPulse is not sold
by itself. Rather, other Blue Coat products, like Proxy SG,
use WebPulse’s category information to make allowability
determinations about URLs that end users are trying to
access.
    DRTR, which stands for “dynamic real-time rating
engine,” is the part of WebPulse responsible for analyzing
URLs that have not already been categorized. DRTR
performs both infringing and non-infringing functions.
When a user requests access to a URL that is not already
in the WebPulse database—a brand new website, for
instance—DRTR will analyze the content, assign a cate-
gory or categories, and collect metadata about the site for
further use. As part of that analysis, DRTR will examine
the URL for malicious or suspicious code, create a kind of
“security profile” highlighting that information, and then
“attach” the security profile to the given URL. This in-
fringes the ’844 patent. But the DRTR analysis also
evaluates whether the URL fits into categories ranging
from pornography to news. These additional categories
are unrelated to DRTR’s malware identification function
but are still valuable for companies trying to, say, prevent
employees from using social media while on the job.
DRTR also collects metadata about the URL for Blue
Coat’s later use. In other words, all of the infringing
functionality occurs in DRTR, but some DRTR functions
infringe and some do not.
    At trial, Finjan attempted to tie the royalty base to
the incremental value of the infringement by multiplying
WebPulse’s total number of users by the percentage of
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.                19



web traffic that passes through DRTR, the WebPulse
component that performs the infringing method. DRTR
processes roughly 4% of WebPulse’s total web requests, so
Finjan established a royalty base by multiplying the 75
million worldwide WebPulse users by 4%. Although
DRTR also performs the non-infringing functions de-
scribed above, Finjan did not perform any further appor-
tionment on the royalty base.
    Finjan argues that apportionment to DRTR is ade-
quate because DRTR is the “smallest, identifiable tech-
nical component” tied to the footprint of the invention.
Appellee Br. 49–50. This argument, which draws from
this court’s precedent regarding apportionment to the
“smallest salable patent-practicing unit” of an infringing
product, does not help Finjan. The smallest salable unit
principle directs that “in any case involving multi-
component products, patentees may not calculate damag-
es based on sales of the entire product, as opposed to the
smallest salable patent-practicing unit, without showing
that the demand for the entire product is attributable to
the patented feature.” LaserDynamics, Inc. v. Quanta
Comput., Inc., 694 F.3d 51, 67–68 (Fed. Cir. 2012). The
entire market value rule is not at issue in this case,
however, and the fact that Finjan has established a
royalty base based on the “smallest, identifiable technical
component” does not insulate them from the “essential
requirement” that the “ultimate reasonable royalty award
must be based on the incremental value that the patented
invention adds to the end product.” Ericsson, 773 F.3d at
1226. As we noted in VirnetX, if the smallest salable
unit—or smallest identifiable technical component—
contains non-infringing features, additional apportion-
ment is still required. VirnetX, 767 F.3d at 1327 (rejecting
a jury instruction that “mistakenly suggest[ed] that when
the smallest salable unit is used as the royalty base, there
is necessarily no further constraint on the selection of the
base”).
20                    FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



    Finjan further defends its apportionment methodolo-
gy by asserting that it demonstrated that “many of these
other categories were unimportant.” Appellee Br. 51. But
the claimed unimportance of particular categories (e.g.
“Macy’s and shopping”) does not speak to the overall
importance of identifying categories unrelated to mal-
ware. Malware detection is undoubtedly an important
driver of DRTR’s (and WebPulse’s) value. At trial, for
instance, Dr. Layne-Farrar pointed to an internal Blue
Coat email stating that “[t]oday the main value of [Web-
Filter and WebPulse] centers around zero-day malware
protection.” J.A. 40571. She also referenced a 2012 public-
facing document entitled “Five reasons to choose Blue
Coat,” which gave “negative-day defense: stop malware at
the source” as reason number two. J.A. 40572–73. But it
is evident that Blue Coat’s customers also value
WebPulse’s ability to identify and filter other categories of
content. A Blue Coat whitepaper discussed at trial promi-
nently advertises the fact that WebPulse provides “the
granular category control that businesses need to imple-
ment acceptable Internet use policies.” J.A. 53136. And
Finjan’s expert used an example about a company that
wanted to bar access to certain sites categorized as “gam-
bling.” “Whether ‘viewed as valuable, important, or even
essential,’ the patented feature must be separated.”
VirnetX, 767 F.3d at 1329 (quoting LaserDynamics, 694
F.3d at 68).
    Because DRTR is itself a multi-component software
engine that includes non-infringing features, the percent-
age of web traffic handled by DRTR is not a proxy for the
incremental value of the patented technology to WebPulse
as a whole. Further apportionment was required to reflect
the value of the patented technology compared to the
value of the unpatented elements.
    Blue Coat also identifies a second error in Finjan’s
reasonable royalty calculation. To arrive at a lump sum
reasonable royalty payment for infringement of the ’844
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.               21



patent, Finjan simply multiplied the royalty base by an
$8-per-user royalty rate. Blue Coat contends that there is
no basis for the $8-per-user rate.
    We agree with Blue Coat that the $8-per-user royalty
rate employed in Finjan’s analysis was unsupported by
substantial evidence. There is no evidence that Finjan
ever actually used or proposed an $8-per-user fee in any
comparable license or negotiation. Rather, the $8-per-user
fee is based on testimony from Finjan’s Vice President of
IP Licensing, Ivan Chaperot, that the current “starting
point” in licensing negotiations is an “8 to 16 percent
royalty rate or something that is consistent with
that . . . like $8 per user fee.” J.A. 40409. Mr. Chaperot
further testified that the 8–16% figure was based on a
2008 verdict obtained by Finjan against Secure Compu-
ting. On this basis, Finjan’s counsel urged the jury to use
an $8-per-user royalty rate for the hypothetical negotia-
tion because “that’s what Finjan would have asked for at
the time.” J.A. 41654.
     While any reasonable royalty analysis “necessarily in-
volves an element of approximation and uncertainty, a
trier of fact must have some factual basis for a determina-
tion of a reasonable royalty.” Unisplay, S.A. v. Am. Elec.
Sign Co., 69 F.3d 512, 517 (Fed. Cir. 1995). Mr. Chaper-
ot’s testimony that an $8-per-user fee is “consistent with”
the 8–16% royalty rate established in Secure Computing
is insufficient. There is no evidence to support Mr. Chap-
erot’s conclusory statement that an 8–16% royalty rate
would correspond to an $8-per-user fee, and Finjan fails to
adequately tie the facts of Secure Computing to the facts
in this case. See LaserDynamics, 694 F.3d at 79
(“[A]lleging a loose or vague comparability between differ-
ent technologies or licenses does not suffice.”).
    Secure Computing did not involve the ’844 patent, and
there is no evidence showing that the patents that were at
issue are economically or technologically comparable.
22                    FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



Finjan’s evidence on this point is limited to the fact that
that the infringing products in Secure Computing were
also in the computer security field and that Secure Com-
puting was a competitor of Blue Coat in 2008. This sur-
face similarity is far too general to be the basis for a
reasonable royalty calculation. In any case, Mr. Chaper-
ot’s testimony that an 8–16% royalty rate would be the
current starting point in licensing negotiations says little
about what the parties would have proposed or agreed to
in a hypothetical arm’s length negotiation in 2008. And
Finjan’s evidence of a $14–34 software user fee is not
indicative of how much the parties would have paid to
license a patent. See Uniloc USA, Inc. v. Microsoft Corp.,
632 F.3d 1292, 1317 (Fed. Cir. 2011) (“[T]here must be a
basis in fact to associate the royalty rates used in prior
licenses to the particular hypothetical negotiation at issue
in the case.”). In short, the $8-per-user fee appears to
have been plucked from thin air and, as such, cannot be
the basis for a reasonable royalty calculation.
    While it is clear that Finjan failed to present a dam-
ages case that can support the jury’s verdict, reversal of
JMOL could result in a situation in which Finjan receives
no compensation for Blue Coat’s infringement of the ’844
patent. Ordinarily, “the district court must award damag-
es in an amount no less than a reasonable royalty” when
infringement is found, Dow Chem. Co. v. Mee Indus., Inc.,
341 F.3d 1370, 1381 (Fed. Cir. 2003); see Riles v. Shell
Expl. & Prod. Co., 298 F.3d 1302, 1313 (Fed. Cir. 2002),
unless the patent holder has waived the right to damages
based on alternate theories, Promega Corp. v. Life Tech.
Corp., No. 2013-1011, slip op. at 15 (Fed. Cir. 2017). We
therefore remand to the district court to determine
whether Finjan has waived the right to establish reason-
able royalty damages under a new theory and whether to
order a new trial on damages.
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.                23



                    B. ’731 and ’633 Patents
    For the ’731 and ’633 patents, Finjan’s expert did ap-
portion the revenues comprising the royalty base between
infringing and non-infringing functionality of Proxy SG.
Blue Coat argues that the apportionment was insufficient.
We disagree.
    Finjan’s expert, Dr. Layne-Farrar, based her appor-
tionment analysis for the ’731 and ’633 patents on an
architectural diagram prepared by Blue Coat. The dia-
gram is entitled “Secure Web Gateway: Functions” and
shows twenty-four boxes representing different parts of
the Secure Web Gateway system. Dr. Layne-Farrar
assumed that each box represented one top level function
and that each function was equally valuable. Thus, be-
cause one function infringed the ’633 patent, and three
infringed the ’731 patent, she used a 1/24th apportion-
ment for the ’633 patent and a 3/24th apportionment for
the ’731 patent.
    Blue Coat argues that there was no evidence to sup-
port Dr. Layne-Farrar’s assumption that each box repre-
sents a “function” and that each function should be
treated as equally valuable. But at trial, Dr. Layne-Farrar
testified that her assumption was based on Blue Coat’s
own diagram, which is entitled “Secure Web Gateway:
Functions”, as well as her discussions with Mr. Medovic, a
Finjan technical expert who explained the use of architec-
tural diagrams and identified certain components within
the diagram that did and did not infringe. Dr. Layne-
Farrar also testified that she relied on the deposition of a
Blue Coat engineer, in which the engineer stated that the
diagram in question represents the full scope of Secure
Web Gateway functionality. Based on this evidence, Dr.
Layne-Farrar based her analysis on the twenty-four
“functions” identified in the Blue Coat diagram and
considered each function equally valuable.
24                    FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.



    Blue Coat notes that Dr. Layne-Farrar’s conclusions
conflict with testimony from Mr. Shoenfeld, Blue Coat’s
Senior VP of Products, stating that each box in the dia-
gram can “have many, many things behind [it] . . . so
there’s no equal weighing of these [boxes] . . . .” See J.A.
40756. But the existence of conflicting testimony does not
mean the damages award is unsupported by substantial
evidence. The jury was entitled to believe the patentee’s
expert. The jury’s damages awards for infringement of the
’731 and ’633 patents were based on substantial evi-
dence. 2
                       CONCLUSION
    For the foregoing reasons, we reverse the denial of
JMOL of non-infringement with respect to the ’968 patent
and remand to the district court to determine the issue of
damages with respect to the ’844 patent. We affirm in all
other respects.



     2  Blue Coat also argues that the damages award
was flawed because the jury awarded damages in excess
of the estimates offered by Finjan’s damages expert.
Indeed, Finjan’s damages expert gave a range of
$2,979,805 to $3,973,073 for infringement of the ’731
patent and a range of $833,350 to $1,111,133 for in-
fringement of the ’633 patent, JA 40623, but the jury
awarded $6,000,000 for the ’731 patent and $1,666,700 for
the ’633 patent, J.A. 125. We agree with Blue Coat that
the statute’s direction to award damages “in no event less
than a reasonable royalty” does not mean that the patent-
ee need not support the award with reliable evidence. 35
U.S.C. § 284. A jury may not award more than is support-
ed by the record, but here the record contains evidence
that the expert’s estimates were conservative and that the
underlying evidence could support a higher award. J.A.
40619–20, 40656.
FINJAN, INC.   v. BLUE COAT SYSTEMS, INC.   25



 AFFIRMED-IN-PART, REVERSED-IN-PART, AND
               REMANDED.
                             COSTS
    Each party shall bear its own costs.
