What is the CISA KEV?
The CISA KEV, for Known Exploited Vulnerabilities, is a catalog maintained by the Cybersecurity and Infrastructure Security Agency, the US federal cybersecurity agency. It lists vulnerabilities for which there is evidence of active exploitation by attackers.
Each entry specifies the vulnerability (via its CVE identifier), the date it was added and a remediation deadline. To make the KEV, a flaw must meet strict criteria, including proof of real exploitation and the existence of a clear corrective action.
Why it matters for your organization
The KEV answers the most useful question in vulnerability management: among all known flaws, which are actually being used against organizations right now? It is a short, very high-value list to treat as top priority.
It acts as a powerful filter against noise. Where CVE catalogs hold tens of thousands of entries, the KEV focuses attention on those that matter immediately.
How to fold the KEV into your prioritization
- As top priority: any KEV vulnerability present in your estate jumps the queue.
- Automatically correlated with your asset inventory.
- As a complement to CVSS (severity) and EPSS (likelihood) for the remaining flaws.
- Continuously tracked: the catalog is updated regularly as new exploitation emerges.
Where organizations most often fall short
The classic mistake is not linking the KEV to your own inventory: knowing a flaw is actively exploited is useless if you do not know where it lives in your estate. The other pitfall is checking the catalog only occasionally, when it changes constantly and requires continuous monitoring.