TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE APPLICATION SECURITY VULNERABILITIES & THREATS CYBERSECURITY ANALYTICS News, news analysis, and commentary on the latest trends in cybersecurity technology. Data Tool to Triage Exploited Vulnerabilities Can Make KEV More Useful A disconnect exists between an organization's cybersecurity needs and lists like CISA's KEV Catalog. KEV Collider combines data from multiple open source vulnerability frameworks to help security teams quickly assess which are important, based on their priorities. Robert Lemos, Contributing Writer February 5, 2026 5 Min Read SOURCE: SCREENSHOT OF RUNZERO'S KEV COLLIDER All software vulnerabilities are not the same. Faced with a quickly growing number of vulnerabilities — more than 48,100 in 2025, up 21% from the previous year — IT and security teams are searching for ways to prioritize which issues need patching and which can be put off for another day. While a variety of approaches exist, including the Exploit Prediction Scoring System (EPSS) and the Likely Exploited Vulnerabilities (LEV) equation, many companies rely on the Known Exploited Vulnerabilities (KEV) Catalog published by the US Cyber and Infrastructure Security Agency (CISA) for a short list of high-impact issues that need immediate attention. Unfortunately, the cybersecurity priorities of most organizations do not match the list, says Tod Beardsley, former section chief for the CISA KEV group and current vice president of security research at runZero, a cyber-exposure management firm. "It's harmful, I would say, if you are not in the federal civilian executive branch of government to treat KEV as a must-patch list because what that will end up doing is burning a lot of cycles, and [you] only got so many cycles in the day," he says. "And you are probably better off doing other things than chasing what are likely low-severity, low-probability vulnerabilities in your environment. LOADING... Related:Tailing Hackers, Columbia University Uses Logging to Improve Security To help companies better triage the KEV list — and perhaps other such lists in the future — Beardsley created a site, KEV Collider, that allows security teams to quickly search through the KEV Catalog using various criteria to make the list of vulnerabilities more relevant to their environments. The Problem With the KEV LOADING... For a vulnerability to be included in the KEV Catalog, the following criteria must be met: It be assigned a Common Vulnerabilities and Exposures (CVE) identifier, a patch or other mitigation must be available, evidence of exploitation must exist, and the impact must affect US civilian interests. For most companies, that criterion does not match their cybersecurity needs, Beardsley wrote in his research paper titled "KEVology." In particular, waiting for a patch to be available and for the issue to be actively exploited means critical vulnerabilities do not get added to the catalog as soon as they are made public. That is a window of time when organizations could act before exploitation, but the KEV hasn't made it a priority yet. On the other hand, some vulnerabilities — such as those found in Apple products with high patch rates because updates are automated — have been exploited but are unlikely to be exploited again. By the time those flaws get listed in the KEV, the likelihood of exploitation has dropped because the products have already been patched or the vulnerabilities require significant user interaction for the exploit to work, according to the report. Related:EnCase Driver Weaponized as EDR Killers Persist "Unless you're in that special class of 'high-value, individually-targeted iPhone user,' you're unlikely to be affected directly by these bugs," Beardsley wrote in the paper, noting that "bugs described by Apple as CVEs tend to already be patched by the time they're documented, and iPhone updates can be difficult to avoid, even on purpose. You generally needn't lose much sleep over these bugs." Scatter plot showing the time between publishing a CVE (green dot) and the issue being added to Metaploit (pink), Nuclei (red), and the KEV Catalog (blue line). Source: runZero, "KEVology" paper The KEV Collider brings together data from the KEV Catalog with other information, such as Common Vulnerability Scoring System (CVSS) scores, EPSS scores, and whether the exploit has been automated by the Metasploit tool, to allow cybersecurity teams to filter current issues by several criteria. The 235 KEVs, which are also included in both the Nuclei application testing framework and Metasploit — considered highly commoditized — can be considered critical for any company using an affected product, for example. "The novel thing here is the smashing together of several signals into a mental framework that you can take, and when the next KEV comes out, you can look at it quickly, and you say, 'Oh, do I have to care about this now?'" he says. "'Can I care about this tomorrow? ... Can I never care about this?' I should be able to make those calls pretty quick on the day-to-day, especially if I'm on the hook for patching, and I have to explain to my boss why I'm not freaking out over the latest KEV." Related:CISA Makes Unpublicized Ransomware Updates to KEV Catalog Beyond the KEV The analysis works because all the sources of information are currently open source and available, but other lists — such as VulnCheck's KEV list, which has about three times as many vulnerabilities as the CISA's list — could be candidates for similar data enrichment, says Beardsley. "I think you could definitely expand this out — this methodology anyway — to larger lists of vulnerabilities, and someone should," he says. "But ... KEV is nice. The work here is handy because all of my sources are very, very public and are not covered by licensing or anything like that, and so this gives me kind of a fun view of a set of vulnerabilities that a lot of people care about, and maybe they care about it for the wrong reason is my supposition." In the end, Beardsley aims to help security teams make better decisions about which vulnerabilities to triage and remediate, so they can offset the increasing workload from a growing list of exploited issues. "Organizations attempting to operationalize KEV remediation should assume that a 'total' solution will involve multiple products from multiple vendors, each contributing partial visibility," he concluded in the research paper. "This is especially true in environments that include OT networks, managed service providers, or mobile bring-your-own device (BYOD) fleets. In these cases, the challenge is not merely identifying KEV-affected assets, but reconciling overlapping, incomplete, and sometimes contradictory data from disparate sources." Data from the KEV Collider is available in a GitHub repository managed by runZero. About the Author Robert Lemos, Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. More Insights Industry Reports The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps 2025 Threat Report Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns AI-Powered Cloud Security Posture Management More Webinars You May Also Like THREAT INTELLIGENCE Cybercrime's Cobalt Strike Use Plummets 80% Worldwide by Nate Nelson, Contributing Writer MAR 07, 2025 THREAT INTELLIGENCE Attackers Ramp Up Efforts Targeting Developer Secrets by Robert Lemos, Contributing Writer MAY 02, 2025 THREAT INTELLIGENCE 'Lucid' Phishing Tool Exploits Faults in iMessage, Android RCS by Nate Nelson, Contributing Writer MAR 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Latest Articles in DR Technology CYBERSECURITY OPERATIONS AI May Supplant Pen Testers, But Oversight & Trust Are Not There Yet FEB 3, 2026 REMOTE WORKFORCE Torq Moves SOCs Beyond SOAR With AI-Powered Hyper Automation JAN 30, 2026 CYBER RISK Tenable Tackles AI Governance, Shadow AI Risks, Data Exposure JAN 30, 2026 APPLICATION SECURITY AI Agents Undermine Progress in Browser Security JAN 21, 2026 Read More DR Technology Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use