The CISA Known Exploited Vulnerabilities (KEV) Catalog is one of the most influential signals in vulnerability management worldwide. It’s also one of the most misunderstood.
Some teams treat KEV like a compliance punch list: a fixed set of “things to patch,” universally urgent, universally applicable. But that isn’t what KEV is. It’s an operational signal—produced under real constraints, reflecting real exploitation, and designed to drive action in a very specific context.
Two new KEV resources, now live! #
Today, we’re releasing two new resources that approach KEV the way defenders actually have to work: by reasoning under uncertainty, mixing imperfect signals, and making defensible decisions when time and coverage are limited.
KEVology: how exploits, scores, and timelines intersect on the CISA KEV #
A new report by Tod Beardsley, former CISA Section Chief for the KEV, analyzing how KEV entries behave across exploits, scores, and timelines, and what actually matters in real environments.
🧪 Read the report âžś
KEV Collider #
A community-first web application and dataset that lets you smash together risk and threat signals and measure what falls out—so you can explore, validate, and adapt the analysis to your own operational reality.
🚀 Launch KEV Collider âžś
The uncomfortable truth about KEV #
The starting point for both resources is a simple but uncomfortable truth: the KEV is not a list of “the worst vulnerabilities ever,” and it was never meant to be treated as one. KEV is a constrained catalog shaped by explicit criteria and real-world tradeoffs. Every entry reflects observed exploitation—but not every entry carries the same urgency, impact, or relevance for every environment.
That distinction matters because most vulnerability teams aren’t operating under a single mandate or timeline. Outside of strict BOD 22-01 compliance, treating every KEV as equal quickly collapses under operational scrutiny. Teams have limited patching windows, uneven asset visibility, and competing priorities that can’t be resolved by a single score or list.
KEVology takes this problem seriously by treating KEV as data rather than doctrine. Instead of asking whether KEV entries are “important” in the abstract, the report examines how they behave in practice. We explore how commodity exploitation, scoring systems, and timelines interact over time, and where those interactions produce clarity or confusion for defenders. The goal isn’t to undermine KEV, but to make its signal more usable by everyone, inside and outside the US federal government.
Why no single metric can prioritize risk #
One of the report’s core conclusions is that no single metric can do prioritization for you. CVSS describes potential impact, not likelihood. EPSS models probability, but not exposure. SSVC adds decision framing, but can’t know your environment. Even “exploit exists” is a blunt signal without context. What actually supports better decisions is the combination of signals, especially when you pay attention to when things happen, not just what happens.
That’s where our new KEV Collider tool comes in.
From analysis to experimentation #
The KEV Collider is designed as a companion to the report: a place to test assumptions rather than accept conclusions. Developed and hosted by runZero, it’s a daily-updated web application built on open-source data that layers the CISA KEV catalog with the enrichment an investigator needs to distinguish between theoretical risk and real-world fire drills. Instead of prescribing priorities, it lets you explore how different signals combine and how those combinations change the story you tell about risk.
Together, KEVology and KEV Collider turn KEV analysis into a controlled and shareable experiment. They’re meant to help teams move beyond checkbox coverage and toward evidence-based reasoning, where prioritization is treated honestly and transparently, as a hypothesis about the world that must be tested, defended, and revised over time.
Start with the report. Then take it into the lab. #
If you want to understand what the KEV is actually telling you, start with the report, then take the analysis into the lab with the KEV Collider. The KEV will keep evolving. The best way to keep up is to interrogate vulnerabilities with the same rigor attackers apply to exploiting them.
Want to run a holistic experiment in your own environment? runZero surfaces the asset context you need to do it. Try runZero for free today.
