CISA KEV Threat Intelligence

CISA KEV Deep Dive: The 14-Day Clock That Should Drive Your Patch Queue

March 5, 2026·8 min read·Chris Boker
CISA KEV, known exploited vulnerabilities

The CISA Known Exploited Vulnerabilities (KEV) catalog is the best free threat intelligence feed most organizations are underutilizing. Updated multiple times per week, it contains CVEs with confirmed real-world exploitation, not theoretical severity, not lab conditions, not hypothetical attack chains. Confirmed exploitation in the wild.

Yet most organizations treat KEV entries the same as any other scanner finding: they go into the queue, get assigned a CVSS-based priority, and wait their turn. This is exactly backwards.

What KEV Is, and Isn't

CISA adds a CVE to KEV when there is reliable evidence it is being actively exploited. The evidence sources include CISA's own threat intelligence sharing with federal agencies, reporting from vetted security vendors, and public threat research.

KEV is not:

  • A list of every dangerous CVE, many high-CVSS CVEs with no real-world exploitation are not in KEV
  • A complete list of exploited CVEs, KEV reflects confirmed and reported exploitation, not all exploitation
  • A severity ranking, KEV entries include CVEs with CVSS scores ranging from 4.0 to 10.0

KEV is a confirmed exploitation signal. The presence of a CVE in KEV means threat actors are using it right now. That's a fundamentally different statement than "this vulnerability has a high severity score."

By the numbers: CVEs in KEV are approximately 3.5× more likely to be seen in ransomware campaigns than non-KEV CVEs with comparable CVSS scores. A KEV listing is not a worst-case scenario; it's a confirmed ongoing scenario.

BOD 22-01: The 14-Day Directive

CISA's Binding Operational Directive 22-01 requires all federal civilian executive branch agencies to remediate KEV entries within specified deadlines, typically 14 days for most entries, with some high-severity entries requiring faster action.

While BOD 22-01 technically applies only to federal agencies, the 14-day benchmark has become the de facto industry standard for private sector organizations with mature VM programs, and for good reason. If a vulnerability has confirmed active exploitation, 30-day patch cycles are not a reasonable response.

How CVEs Get Added to KEV

Understanding the process helps you use KEV correctly:

  1. Exploitation observed, CISA receives reporting of real-world exploitation from federal agencies, ISACs, security vendors, or CISA's own observation
  2. Verification, CISA validates the exploitation evidence meets their standard of "reliable evidence of active exploitation"
  3. Catalog update, the CVE is added with required remediation date, affected products, and action guidance
  4. Agency notification, affected agencies receive notification; public catalog is updated

The catalog is available as a JSON feed at https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json, machine-readable, updated in near real-time.

KEV vs. EPSS: Complementary Signals

KEV and EPSS answer different questions and work best together:

SignalQuestion AnsweredBest Use
CISA KEV"Is this being exploited right now?"Immediate escalation trigger, non-negotiable patch queue
EPSS ≥ 0.40"Is this likely to be exploited soon?"Predictive queuing, patch before exploitation occurs
CVSS"How bad would it be if exploited?"Tiebreaker within risk bands

A vulnerability can be high-EPSS but not yet in KEV, exploitation is likely but not yet confirmed. A CVE can be in KEV with a moderate EPSS, exploitation is confirmed but perhaps limited to targeted attacks. Both scenarios require action, but with different urgency.

Practical KEV Integration

Automated KEV Check on Scan Ingestion

Every time you ingest scan results, every CVE should be automatically checked against the current KEV catalog. Manual cross-referencing is error-prone and doesn't scale. If a CVE is in KEV, it should automatically surface at the top of your triage queue regardless of its CVSS score.

KEV Watchlist for Asset Classes

Not all KEV entries affect your environment equally. A KEV entry for Apache Struts matters a lot more if you're running Java applications. Filter KEV by the products and technologies present in your environment. Set up alerting for new KEV additions that match your asset inventory.

KEV in Executive Reporting

KEV entries are one of the easiest VM metrics to communicate to non-technical leadership:

  • "We have 2 vulnerabilities on the CISA actively-exploited list. Both are being patched this week."
  • "Zero known-exploited vulnerabilities remain open past our 14-day SLA."

These statements are clear, defensible, and directly linked to confirmed threat intelligence, not hypothetical risk scores.

CVSS 4.3 in KEV > CVSS 9.8 not in KEV. A medium-severity CVE with confirmed active exploitation should always outrank a critical CVE with no exploitation evidence. KEV is your override signal. Treat it that way.

What CVEasy AI Does with KEV

CVEasy AI pulls the live KEV JSON feed automatically and cross-references every CVE in your triage queue. KEV-listed CVEs receive a hard boost in the TRIS™ score calculation. They surface at the top of your queue with a prominent KEV badge, their required remediation date, and AI-generated remediation guidance specific to the affected product.

You never have to manually check the KEV catalog again. Every new KEV addition that affects your scanned CVEs triggers re-prioritization automatically.

Automatic KEV monitoring, built in.

CVEasy AI checks every CVE against the live CISA KEV catalog and surfaces confirmed-exploitation findings at the top of your queue, automatically.

Get CVEasy AI → EPSS + KEV Scoring →

Related Reading

Scoring Stack
EPSS + KEV + Enterprise Context
The full three-layer scoring model.
Ransomware
Patch Before You're Breached
Using EPSS + KEV for ransomware triage.
Patch Tuesday
Triaging 100+ CVEs Before Wednesday
The 5-step Patch Tuesday workflow.