CISA KEV Automated Alerts: Build a Weekly Known Exploited Vulnerabilities Digest

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The CISA KEV JSON feed at cisa.gov (no authentication required) returns the full catalog on every request. To alert without a SIEM: fetch hourly via Python or PowerShell, diff against a saved snapshot by the dateAdded field, and send new entries to a Slack webhook or email. The feed also includes a knownRansomwareCampaignUse field, making it trivial to filter for the highest-priority additions. Federal agencies must remediate KEV entries by the dueDate under BOD 22-01; non-federal organizations have no mandate but KEV is the highest-signal patch prioritization input available.
Security teams that find out about CISA KEV additions from a weekly newsletter or a colleague's Slack message are already behind. CISA adds entries to the KEV catalog in real time when exploitation is confirmed -- not on a monthly schedule aligned with Patch Tuesday. A CVE added to KEV on a Wednesday afternoon and not surfaced to your patch team until the following Monday represents a multi-day window of preventable exposure.
The CISA KEV JSON API solves this problem. It exposes the full catalog as a machine-readable feed that can be queried programmatically, diffed against a prior snapshot to identify new additions, and piped into SIEM platforms, Slack channels, email digests, or vulnerability management system tickets. This guide covers the API format, integration patterns, and a weekly digest template for security operations teams.
The CISA KEV JSON API: structure and access
The CISA KEV catalog is available as a public JSON feed at no cost and with no authentication required:
https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
The JSON structure includes a catalog version, total count, and an array of vulnerability objects. Each vulnerability object contains:
- cveID: the CVE identifier (e.g., 'CVE-2023-32315')
- vendorProject: the affected vendor name
- product: the affected product name
- vulnerabilityName: a short human-readable name
- dateAdded: ISO date when CISA added the entry to the catalog
- shortDescription: a brief description of the vulnerability
- requiredAction: what remediation CISA recommends
- dueDate: the mandatory remediation deadline for federal agencies under BOD 22-01
- knownRansomwareCampaignUse: 'Known' or 'Unknown' -- whether the vulnerability has been used in ransomware campaigns specifically
The feed returns all entries on every call. To detect new additions, your tooling must compare the current feed against a previously stored snapshot and identify entries where dateAdded equals or is greater than your last check timestamp.
Basic KEV alert: poll, diff, and notify
The minimal viable KEV alert is a script that runs on a schedule, fetches the JSON feed, compares it against the previously fetched version, and sends a notification when new entries are found. Here is the logic in pseudo-code:
- Fetch current KEV JSON feed
- Load previous snapshot (stored as JSON file from last run)
- Compute diff: entries where dateAdded > last_check_date
- If diff is non-empty: format notification and send to target (Slack, email, SIEM)
- Store current feed as new snapshot
Implementation options by tooling:
Python with requests: Fetch via requests.get(), parse with json.loads(), filter entries by dateAdded, send via Slack webhook or SMTP. Schedule with cron or a Lambda function.
PowerShell (Windows environments): Use Invoke-RestMethod to fetch the feed, ConvertFrom-Json to parse, Where-Object to filter by date, and Send-MailMessage or Invoke-RestMethod to a Teams webhook for notification.
Zapier or Make (no-code): Many no-code automation platforms support HTTP polling and JSON parsing. A Zapier zap can poll the KEV feed on a schedule, detect new entries, and post them to Slack or create a Jira ticket. This requires a paid Zapier plan for the polling and webhook action combination.
For production deployment, run the check hourly rather than daily. CISA adds entries throughout the business day without a predictable schedule.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
SIEM integration: ingesting KEV into Splunk, Sentinel, or Elastic
Integrating KEV data into your SIEM enables correlation between confirmed exploited vulnerabilities and the assets in your environment -- the most direct path from a KEV addition to a prioritized remediation ticket.
Splunk: KEV lookup table
Download the CISA KEV CSV export and import it as a Splunk lookup table (KV Store). Create a scheduled search that joins your Tenable or Qualys vulnerability scan results against the KEV lookup on CVE ID. Any scan finding where the CVE appears in the KEV lookup fires an alert and creates an incident in your ITSM tool. Update the KEV lookup table automatically via a Splunk scheduled search that re-fetches the JSON feed weekly.
Microsoft Sentinel: KEV watchlist
Import the CISA KEV CSV as a Microsoft Sentinel Watchlist named 'CISA-KEV'. Create an Analytics Rule that joins Microsoft Defender Vulnerability Management findings against the KEV Watchlist on CVE ID. When a Defender finding matches a KEV entry, the rule creates a Sentinel incident with Critical severity. The Watchlist can be updated via a Logic App that re-downloads the KEV feed on a weekly schedule.
Elastic Security: enrichment pipeline
In Elastic, use an ingest pipeline enrichment processor to tag vulnerability documents with a 'kev_listed: true' field when the CVE ID matches an entry in the CISA KEV data. Populate the KEV reference data as an Elastic index and use an Enrich Processor in the vulnerability document ingest pipeline. Create a detection rule that alerts on any vulnerability document where kev_listed equals true and asset_risk_score is above your threshold.
Weekly KEV digest format for security operations
For teams that want a structured weekly summary rather than real-time per-entry alerts, a weekly KEV digest aggregates the week's additions into a structured report. The digest can be delivered by email, posted to a Slack channel, or added to a security operations wiki.
Recommended weekly digest sections:
-
New this week: All CVEs added to KEV in the past 7 days, organized by vendor. Include: CVE ID, vendor/product, vulnerability type, due date for federal agencies, and ransomware campaign usage flag.
-
Ransomware-linked additions: Highlight any this-week entries where knownRansomwareCampaignUse equals 'Known.' These represent confirmed dual-use by ransomware operators and carry higher operational urgency for most private organizations.
-
High-EPSS additions: Cross-reference new KEV entries against EPSS scores using the FIRST EPSS API (api.first.org/data/1.0/epss). Entries with EPSS above 0.5 (50% probability of exploitation in the next 30 days) combined with KEV confirmation represent the most urgent remediation priorities.
-
Environment relevance filter: If your vulnerability management platform exposes an API (Tenable, Qualys, Rapid7), cross-reference new KEV entries against your scan findings to surface only the KEV additions that affect software actually running in your environment.
-
Remediation tracking: Which KEV entries from prior weeks are still open in your environment past their due date. This is the accountability section that drives patch SLA compliance.
Enriching KEV alerts with EPSS and NVD data
Raw KEV additions provide confirmation of exploitation and the affected product, but not CVSS score, EPSS probability, or detailed technical description. Enriching KEV additions with data from EPSS and NVD produces significantly more actionable alerts.
FETCH EPSS for a CVE: curl 'https://api.first.org/data/1.0/epss?cve=CVE-2023-32315'
Returns: epss score (probability of exploitation in next 30 days) and percentile.
FETCH NVD details: curl 'https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-32315'
Returns: CVSS score, description, CWE classification, and affected CPE product list.
The combined data format for a KEV alert notification:
- CVE ID + NVD description
- CVSS 3.x base score from NVD
- EPSS score and percentile from FIRST
- KEV due date and ransomware use flag from CISA
- Affected product from NVD CPE list
- Your internal asset count from your vulnerability management platform
A KEV entry with CVSS 9.8 + EPSS 0.95 + ransomware campaign use + 47 affected assets in your environment is a same-day incident. A KEV entry with CVSS 5.5 + EPSS 0.12 + no ransomware use + 0 affected assets in your scan data is a zero-action item for your environment. The enrichment separates them automatically.
BOD 22-01 compliance tracking for federal and contractor environments
Federal civilian agencies are required under CISA Binding Operational Directive 22-01 to remediate all KEV-listed vulnerabilities within the timeframe specified in each entry's dueDate field. Private sector organizations are not bound by BOD 22-01 but are strongly advised to treat KEV deadlines as a reasonable remediation SLA benchmark.
For organizations needing to track BOD 22-01 compliance:
-
Build a KEV compliance dashboard that shows all open KEV entries affecting your environment, their due dates, and current patch status. Entries past due date are compliance gaps.
-
Automate ticket creation in your ITSM tool (ServiceNow, Jira, Remedy) with due date fields populated from the CISA KEV dueDate field. This creates an auditable remediation record for each KEV entry.
-
Generate weekly reports showing: KEV entries added this week, entries within 7 days of due date, and entries past due date. This is the report your leadership and auditors will ask for.
The bottom line
The CISA KEV catalog is free, public, machine-readable, and updated in real time. There is no good reason for a security operations team to find out about new exploited vulnerability confirmations more than a few hours after CISA posts them.
A basic hourly poll of the KEV JSON feed, a diff against the prior snapshot, and a Slack webhook notification is a 50-line script that eliminates the multi-day lag entirely. Add NVD and EPSS enrichment and you have a self-triage alert that tells your patch team exactly how urgent each new entry is before they open the ticket.
For the full prioritization framework that combines CVSS, CISA KEV, and EPSS into a defensible patch SLA decision tree, see the CVSS vs. CISA KEV prioritization guide. For June 2026 Patch Tuesday deployment guidance using KEV as the first prioritization input, see the Patch Tuesday June 2026 guide. For a complete code walkthrough of the CISA KEV JSON API endpoint with Python, Node, and Bash polling scripts, see the CISA KEV API automation guide.
Frequently asked questions
What is the CISA KEV JSON API endpoint?
The CISA Known Exploited Vulnerabilities JSON feed is available at: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json -- no API key or authentication is required. The feed is publicly accessible and returns the full catalog on every request. Fetch it programmatically by making an HTTP GET request to that URL and parsing the JSON response. The catalog updates in real time when CISA confirms new exploited vulnerabilities.
How often should I poll the CISA KEV API?
Poll the CISA KEV API hourly for real-time alerting. CISA adds entries throughout the business day without a predictable schedule, so daily polling misses a multi-hour to same-day response window. An hourly poll with diff detection adds minimal load (the JSON file is approximately 500KB) and ensures your team is notified within an hour of any new addition. For non-real-time weekly digest workflows, daily polling is sufficient.
How do I find out what CVEs were added to CISA KEV this week?
Fetch the CISA KEV JSON feed and filter entries where the dateAdded field falls within the past 7 days. In Python: filter([e for e in kev_data['vulnerabilities'] if e['dateAdded'] >= seven_days_ago]). The CISA website also provides a sortable table at cisa.gov/known-exploited-vulnerabilities-catalog where you can sort by Date Added to see the most recent entries.
What does the 'knownRansomwareCampaignUse' field mean in the CISA KEV?
The knownRansomwareCampaignUse field indicates whether CISA has confirmed that the CVE has been used specifically in ransomware campaigns. Entries with value 'Known' mean ransomware operators have actively exploited this vulnerability in real-world ransomware attacks. Entries with value 'Unknown' mean active exploitation is confirmed but ransomware-specific use has not been confirmed (exploitation may be by nation-state actors, criminal groups, or other threat actors). Ransomware-linked KEV entries carry higher urgency for private sector organizations because ransomware operators typically target a broader range of industries than nation-state actors.
How do I integrate CISA KEV into Splunk?
The most common Splunk integration method is a KEV lookup table. Download the CISA KEV CSV from the CISA website, import it as a Splunk lookup (inputlookup). Create a scheduled search that joins your vulnerability scan results (from Tenable, Qualys, or Rapid7 ingested into Splunk) against the KEV lookup on the CVE ID field. When a scan finding matches a KEV entry, trigger a Notable Event in Splunk Enterprise Security or send an alert to your ITSM tool. Schedule the KEV lookup refresh weekly to keep the table current.
Are private sector organizations required to follow CISA KEV remediation deadlines?
No. CISA BOD 22-01 mandatory remediation deadlines apply only to US federal civilian executive branch agencies. Private sector organizations have no legal obligation to follow KEV deadlines. However, CISA strongly recommends all organizations use the KEV catalog as a prioritization signal and treat the federal deadlines as a reasonable benchmark. Many organizations adopt KEV deadlines voluntarily as their own patch SLA targets because they represent a defensible, auditable, publicly available standard with CISA's authority behind it.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
