Prioritization to Prediction, Vol. 9

The Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities” (KEV) catalog has become a primary driver for vulnerability prioritization across the public and private sectors. This ninth volume of the Prioritization to Prediction series subjects the KEV to rigorous statistical analysis to determine its role in a mature risk-based program. The report rewards the click by providing a definitive look at the catalog’s efficiency, coverage, and the “recency bias” that might be blinding defenders to older, persistent threats.

The analysis confirms that the KEV is an exceptionally “efficient” signal: if a vulnerability is on the list, it is almost certainly a real threat that warrants remediation. However, the catalog lacks “coverage.” Only 0.5% of all published vulnerabilities make the KEV, and a staggering 94% of CVEs that show evidence of exploitation in the wild are not included in the list. This finding is a critical corrective for teams that rely solely on the KEV as their definition of “exploited.”

The report also dives into the operational reality of the KEV within the enterprise. Nearly every organization has detected at least one KEV vulnerability on its network, yet typical remediation capacity is 10 times higher than what is required to keep up with the list. This research serves as an essential guide for CISOs to integrate the KEV as one of many vital signals—alongside EPSS and internal context—to build a truly predictive defense.

Key Findings

• The 0.5% Needle: The CISA KEV catalog is highly selective, encompassing just 0.5% of the more than 200,000 published vulnerabilities.
• 94% Coverage Gap: Roughly 94% of vulnerabilities for which there is reliable evidence of exploitation in the wild do not appear on the CISA KEV list.
• 98% Detection Rate: KEV vulnerabilities are nearly ubiquitous in the enterprise, with 98.3% of organizations having detected at least one on their network.
• High-Severity Bias: KEV vulnerabilities are significantly more severe than the general population; 1/3rd are rated as “Critical” compared to just 15% of all CVEs.
• The 10-Year Threat: 38% of current exploitation attempts target vulnerabilities that were published more than 10 years ago, many of which are underrepresented on the KEV.
• 10x Remediation Capacity: The typical organization has 10 times the remediation capacity required to keep up with the monthly flow of new KEV additions (15% capacity vs 1.5% KEV volume).