PentaTrail Logo
CTEM & Threat Intelligence#CTEM#Vulnerability Management#Security

Leveraging the KEV (Known Exploited Vulnerabilities) Catalog

PentaTrail Team··5 min read
Table of Contents

What is the KEV Catalog?

The KEV (Known Exploited Vulnerabilities) catalog is maintained by CISA (Cybersecurity and Infrastructure Security Agency) and lists vulnerabilities that have been confirmed as actively exploited in real-world attacks. Launched in November 2021, it is continuously updated.

While the CVE database contains over 200,000 entries, the KEV catalog includes only a fraction (approximately 1,100 as of 2024). Inclusion in KEV means the vulnerability is not a theoretical threat — it's a confirmed, active one.

KEV Inclusion Criteria

A vulnerability must meet all three criteria to be added:

1. Has a CVE ID

A formal CVE identifier must be assigned.

2. Evidence of Active Exploitation

Reliable evidence that attackers are actively using this vulnerability. A proof-of-concept (PoC) alone is insufficient.

3. Remediation Available

The vendor has provided a patch or workaround. Vulnerabilities without available fixes are not listed.

KEV Entry Information

Each entry includes:

  • CVE ID: Vulnerability identifier
  • Vendor/Product: Affected software
  • Vulnerability Name: Description
  • Date Added: When it was added to KEV
  • Due Date: Remediation deadline for US federal agencies
  • Required Action: Recommended remediation steps
  • Known Ransomware Campaign Use: Whether used in ransomware attacks

How to Use KEV

1. Top Patch Priority

If a KEV-listed vulnerability exists in your environment, it should be unconditionally top priority. These aren't "might be exploited someday" — they're "already being exploited."

2. Set SLAs

CISA sets remediation deadlines for federal agencies. Private organizations should establish similar SLAs:

Severity Recommended SLA
KEV + Critical Within 48 hours
KEV + High Within 1 week
KEV + Medium or below Within 2 weeks

3. Supply Chain Risk Management

Verify that your vendors and partners are addressing KEV-listed vulnerabilities to reduce supply chain risk.

4. Executive Reporting

"We have X CISA-confirmed exploited vulnerabilities in our systems" is a message that resonates beyond the security team and effectively communicates risk to leadership.

CVSS, EPSS, and KEV Compared

Metric What It Measures Update Frequency Characteristics
CVSS Technical severity Fixed at publication Static, no context
EPSS Exploitation probability Daily Predictive, dynamic
KEV Confirmed exploitation As discovered Factual, most certain

Combining all three provides a multi-dimensional assessment of true vulnerability risk.

KEV Integration in PentaTrail

PentaTrail/CTEM automatically cross-references discovered vulnerabilities against the KEV catalog. When a KEV-listed vulnerability is detected, the KEV boost raises the Threat Discovery Level (TDL) by one level, lifting the finding to the upper rows of the TER band (S or A). The dashboard also surfaces it as an immediate alert.

To try vulnerability management with the KEV boost included, Start Your 14-Day Free Trial.

Visualize your attack surface with PentaTrail/CTEM

From discovery to vulnerability validation and remediation — all powered by the CTEM framework.

Get Started

Related Articles

What is CTEM? A Complete Guide to the 5 Phases

What is Threat Discovery Level (TDL)? — Vulnerability Ranking from CVSS × EPSS

What is EPSS? Prioritizing Vulnerabilities by Exploitation Probability

← Back to Blog