The KEV list is useful but largely misunderstood. KEVology explains what it is, and how best to use it.
CISA’s KEV Catalog, more commonly known as the KEV list, emerged with the issue of BOD 22-01 in November 2021. This catalog, currently a list of just over 1,500 vulnerabilities known to have been exploited in the wild, suggests a high value prioritization source for vulnerability remediation within industry. It can be, but is not automatically so. It has two limitations: range and detail.
The cybersecurity of business is not the function of CISA. CISA’s remit is to raise the security of FECB agencies, and KEV is a notification to FECB agencies of those vulnerabilities that are both urgent (already being exploited) and fixable (basically, have a vendor patch).
Curating a list that contains these necessities requires a strict set of conditions which will inevitably exclude more vulnerabilities than it includes. This is the range limitation. The second limitation is that each KEV entry is sparse on detail, making it difficult to prioritize the order in which to remediate.
Tod Beardsley, currently VP of Security Research at runZero (and formerly CISA KEV section chief) has written a paper simply titled ‘KEVology’. It is designed to help security teams understand KEV, and how best to use it.
Beardsley explained CISA’s KEV and his KEVology paper to SecurityWeek. “To be included in the KEV,” he said, “a vulnerability must have the four qualities defined in BOD 22-01. Firstly, it must have a CVE number – so a super fresh zero-day will not make it into KEV.”
End-of-life operating systems similarly miss out. Companies still use them, but nobody produces a CVE for them. “They can just be quietly accumulating vulnerabilities that no one knows or cares about,” he added, “except the state actors who make it their job to know about them. Such vulnerabilities are favored by intelligence operators who have the bandwidth to research old operating systems – but none of that will ever hit the KEV.” Even if it is known to be exploited.
The second requirement, he continued, is “It must have been exploited – so a vulnerability that has been known for ten years, but for which CISA has no knowledge of exploitation, will not make the cut.” The important point here is not actually whether it has been exploited, but whether CISA is aware of it being exploited.
The third, he continued, is the availability of a patch. “Let’s say the vendor says, ‘Nope, that’s not a bug, it’s a feature,’ and declines to patch it. Meanwhile, Metasploit and/or Nuclei publish exploits that get used in the wild. That exploited vulnerability still won’t be included because there’s no vendor patch.”
The fourth, he continued, is “It must be relevant to US federal Interests.” There are numerous game issues that can provide adversarial bridges to the wider business environment. “But they will never make the KEV, because the federal government doesn’t care about games.” In 2022, hackers used an RCE exploit via Dark Souls that forced Bandai Namco to shut down its network.
Conversely, there are entries that will have little interest for the wider business environment. For example, CVE-2021-44207 is included, but, said Beardsley, “Unless you are a state-employed veterinary care provider, you probably don’t need to worry too much about it.”
Interestingly, while not referencing end of life operating systems, the latest BOD from CISA (26-02, issued on February 5, 2026) requires FCEB agencies to decommission and replace ‘End-of-Support Edge Devices’. In at least one sense, this could be considered as widening the scope of the Catalog since the requirement affects all end-of-support edge vulnerabilities, whether or not there is a vulnerability that has been exploited and whether or not a patch exists.
Perhaps the biggest problem with the KEV is that hard-pressed business security teams understandably focus on it without necessarily understanding its limitations. “This is the hitlist that I must remediate because the government has said so.”
Beardsley wrote in the paper, without detracting from its value and importance, “That’s not its purpose.” Its purpose is to signal to FECB agencies what needs to be patched. His paper expands this signal to be relevant to the wider cybersecurity industry. “KEVology examines the KEV as an operational signal with the goal of helping cybersecurity practitioners make defensible prioritization decisions under real-world constraints.”
To assist in this prioritization, the paper evaluates “A range of commonly used enrichment signals, including CVSS, EPSS, SSVC, as well as less-common signals such as public exploit tooling, MITRE ATT&CK mappings, and time-sequenced relationships, emphasizing that no single metric is sufficient on its own. Rather, value emerges from combining diverse, imperfect signals to reason about uncertainty, effort, and urgency as the KEV continues to grow in size, scope, and technological diversity.”
The attraction for security teams is obvious: it is far easier to remediate the 1,500 KEV entries and new ones as they arrive, than try to tackle the full list of more than 300,000 CVEs. What the KEVology paper seeks to provide is an enrichment methodology to ease and maximize use of the KEV.
The paper is accompanied by the launch of Beardsley’s own KEV Collider web app, hosted on runZero, “It’s essentially an interactive form of the paper,” he explained. “You can tell the Collider, ’Today I’m only concerned about KEV vulnerabilities with these CVSS qualities. Of course, you can filter on multiple qualities – so you could filter on ‘remote’ with an EPSS (exploit prediction scoring system) score of 0.50 or more [a 50% chance that this vulnerability will be exploited somewhere in the next 30 days] and / or for which a Metasploit module or Nuclei template exists.”
This provides immediate KEV data enrichment to align CISA’s recommendations with the organizations’ own security priorities, telling the security team how to prioritize, or perhaps ignore, KEV’s entries in rapid time.
While the KEV Collider, born out of the KEVology paper, maximizes and streamlines the use and value of CISA’s KEV Catalog, it brings an additional benefit. Time saved on purely understanding and prioritizing CISA’s FECB remediation instructions can be released for business security teams to look at other issues – those vulnerabilities that look dangerous but will never appear within KEV.
Related: Concerns Raised Over CISA’s Silent Ransomware Updates in KEV Catalog
Related: CISA KEV Catalog Expanded 20% in 2025, Topping 1,480 Entries
Related: CISA Adds Exploited XWiki, VMware Flaws to KEV Catalog
Related: Vulnerabilities in CISA KEV Are Not Equally Critical: Report
