CISA KEV Triage: How to Prioritize Known Exploited Vulnerabilities When You Can't Patch Everything

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
"Patch everything in the KEV catalog" is not a practical directive when the catalog contains over 1,100 entries and your team patches 20 CVEs per sprint. The CISA Known Exploited Vulnerabilities catalog is the most reliable free signal for identifying which CVEs are being actively weaponized, but triage is unavoidable at that scale.
This guide gives you a three-variable framework for ranking KEV entries by actual risk to your organization: exploitation evidence recency, asset exposure in your environment, and business impact of affected systems. The output is a four-tier priority queue, Patch Now, This Sprint, Scheduled, Monitor, that transforms the KEV catalog from an overwhelming list into an executable work plan.
The framework uses only free data sources: the KEV catalog itself, EPSS scores from FIRST.org, and your asset inventory. A team of two can run a full weekly triage in under 30 minutes.
What the CISA KEV Catalog Actually Represents
CISA adds a CVE to the KEV catalog only when it meets a specific evidence bar: the vulnerability has a CVE ID assigned, there is credible evidence of active exploitation in the wild, and clear remediation guidance is available. CISA does not add theoretical risks or newly disclosed vulnerabilities without exploitation evidence.
This evidence bar makes KEV meaningfully different from a vulnerability scanner output or a list of high-CVSS CVEs. A vulnerability scanner may flag 500 high-severity findings across your environment. Only a small fraction will ever be exploited in real attacks. KEV entries have already crossed that threshold.
The catalog is not exhaustive. Thousands of CVEs are exploited in the wild without appearing in KEV, particularly those targeting obscure or niche products. KEV represents confirmed exploitation that CISA has verified, it is a floor, not a ceiling, for your patching priorities.
For federal agencies, patching KEV entries within the mandated timeline (typically 14 days for internet-facing assets, 60 days for others) is legally required under BOD 22-01. For private organizations, CISA frames KEV as a strong recommendation. The business case is clear regardless of legal obligation: 60% of ransomware incidents in 2025 exploited a CVE that was already in the KEV catalog at the time of the attack.
Why CVSS Alone Fails Within the KEV Catalog
A common mistake when triaging KEV entries is sorting by CVSS score and patching top-down. CVSS measures the theoretical maximum severity of a vulnerability under ideal exploit conditions. It does not measure how likely the vulnerability is to be exploited in your environment, how difficult it is to reach, or whether it affects assets that matter to your business.
Two CVEs can both sit in KEV with very different risk profiles. A CVSS 9.8 remote code execution vulnerability in an internet-facing VPN product with a public exploit is an immediate crisis. A CVSS 9.8 vulnerability in a legacy desktop application that requires local access and runs only on a decommissioned host is low priority regardless of score.
Within KEV, CVSS fails as a primary sort because every entry has already passed the exploitation evidence threshold. The question is not whether they are being exploited in the wild. They all are. The question is whether they affect assets you run, whether those assets are reachable from the internet, and whether a compromise would be catastrophic or merely disruptive.
For a detailed explanation of how CVSS, EPSS, and KEV work together, see the CVSS Score vs. Real-World Exploitability guide. For the quickest automated triage output, the Patch Priority Tool applies SSVC-based decision logic to score your inputs in under a minute per CVE.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Three Triage Variables
Three variables determine where a KEV entry sits in your priority queue. Apply them in order, the first variable that produces a clear signal ends the triage for that entry.
Variable 1: Exploitation recency and campaign activity
When was this CVE added to KEV? Is it being used in an active campaign right now, or was it added years ago to document historical exploitation? A CVE added to KEV in the past 30 days during an active ransomware campaign targeting your sector is categorically higher priority than a CVE added in 2022 for a product version you no longer run.
Signals to check: Decryption Digest daily posts and CISA advisories for active campaign citations, EPSS score from first.org/epss (scores above 0.5 indicate high probability of near-term exploitation attempts), and whether the CVE appears in any current threat actor attribution relevant to your sector.
Variable 2: Asset exposure in your environment
Do you run the affected product, and is it reachable from the internet or from untrusted network segments? A KEV entry for software you do not run requires zero action. A KEV entry for an internet-facing application scores highest for exposure. A KEV entry for an internal application accessible only from managed endpoints scores lower.
Check your asset inventory against the affected CPE strings in the CVE record. Your vulnerability scanner should flag this automatically if configured to check KEV status. If not, cross-reference manually using the CVE's affected product list.
Variable 3: Business impact of the affected asset
If the affected asset were compromised, what is the worst-case business impact? Assets that store regulated data, process financial transactions, control OT or ICS systems, or serve as authentication infrastructure have higher business impact than development workstations or test environments.
This variable is why two organizations can look at the same KEV entry and reach different prioritization conclusions. A CVE affecting your production payment processing server is Patch Now. The same CVE affecting an identical server in your QA environment is This Sprint.
Exploitation recency and campaign activity
Recently added KEV entries in active campaigns against your sector take priority over historical additions for products you have since updated or replaced.
Asset exposure in your environment
Internet-facing assets running the affected product score highest. Internal assets behind multiple network controls and no exposure to untrusted networks score lower.
Business impact of the affected asset
Assets handling regulated data, authentication, financial transactions, or critical operations score highest regardless of network exposure level.
The Four-Tier Priority Output
Apply the three variables to produce one of four triage outcomes for each KEV entry:
Patch Now (within 24 to 72 hours): CVE added to KEV in the past 30 days or currently cited in an active campaign targeting your sector, asset is internet-facing, and the affected asset has high business impact. This is incident-response-tier urgency. Pull the affected system for emergency patching or apply the CISA-recommended workaround immediately.
This Sprint (within 14 days): Active exploitation evidence, asset is in your environment, but asset is not internet-facing or business impact is moderate. Schedule for the current or next sprint with a named owner and completion date.
Scheduled (30 to 90 days): CVE is in KEV but exploitation is predominantly historical (added more than 6 months ago with no recent campaign citation), asset is in your environment, and exposure or business impact is limited. Add to your standard vulnerability management backlog.
Monitor (no immediate action): Asset is not in your environment, or the affected product version is already patched in your current deployment. Log that you reviewed the entry and the basis for deferral. Revisit if your asset inventory changes.
Document your triage decision for each entry. Auditors and incident responders will ask why a specific KEV entry was not patched in the event of a related breach. A logged triage decision with a rationale is significantly better than silence.
When KEV Volume Exceeds Sprint Capacity
A high-activity period, Patch Tuesday with multiple KEV additions, a major zero-day campaign, or a large vendor security advisory, can produce more Patch Now and This Sprint entries than your team can process in two weeks. When that happens, apply a secondary sort within each tier.
Within Patch Now, sequence by: internet-facing first, then authentication systems, then data stores, then other systems. An internet-facing VPN concentrator gets patched before an internal LDAP server even if both are rated Patch Now.
If still over capacity after sequencing, escalate to your CISO with a written briefing showing the gap: how many Patch Now or This Sprint items exist, your team's current capacity in CVEs per sprint, and the specific systems that will remain unpatched. A CISO who understands the capacity gap can authorize temporary compensating controls, emergency contractor support, or targeted network isolation for the highest-risk systems. A CISO who is not informed cannot make those decisions.
The Patch Priority Tool automates this scoring using SSVC-inspired decision logic. Input the exploitation status, technical impact, exposure, and mission criticality for each CVE to get a priority tier in under a minute per entry without manual variable scoring.
Integrating KEV Into Your Vulnerability Management Workflow
The most effective KEV integration uses automation to surface new additions before your weekly triage rather than relying on manual catalog checks.
Set up a weekly KEV diff. The catalog is available as a machine-readable JSON file at cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json. A simple script that downloads this file weekly, compares it against last week's version, and posts the new additions to a Slack channel or sends an email takes under 30 minutes to build and eliminates the risk of missing a new entry.
Configure your vulnerability scanner to surface KEV status. Tenable Nessus, Qualys VMDR, and Rapid7 InsightVM all support CISA KEV status as a native filter as of 2025. Configure your scanner to flag KEV membership as a separate severity field so KEV entries surface at the top of your queue independent of CVSS score.
For environments without a commercial scanner, the free Greenbone Community Edition (formerly OpenVAS) supports KEV-based filtering. Export scan results and cross-reference against the KEV JSON feed using CVE IDs. A Python script that does this comparison runs in seconds against even large scan outputs.
The bottom line
The CISA KEV catalog is a prioritization signal, not a patch list. Apply three variables to each entry in order: exploitation recency and current campaign activity, whether the affected asset is in your environment and internet-facing, and the business impact of that asset if compromised. The four-tier output turns 1,100 entries into an executable sprint plan. Document every triage decision. When sprint capacity is exceeded, escalate with a written gap analysis rather than silently deferring Patch Now items.
Frequently asked questions
What is the CISA Known Exploited Vulnerabilities catalog?
The CISA Known Exploited Vulnerabilities catalog is a curated list of CVEs that CISA has confirmed are actively being exploited in real-world attacks. CISA adds a CVE only when there is credible evidence of active exploitation in the wild and clear remediation guidance exists. As of May 2026 the catalog contains over 1,100 entries. Under Binding Operational Directive 22-01, federal civilian agencies must patch KEV entries within mandated timelines. Private organizations are not legally bound but widely use the 14-day and 60-day timelines as patching benchmarks.
Is the CISA KEV patching mandate binding for private companies?
Binding Operational Directive 22-01 applies only to Federal Civilian Executive Branch agencies. Private organizations are not legally required to follow CISA's KEV remediation timelines. However, cyber insurance policies increasingly reference KEV compliance, and failure to patch a KEV-listed vulnerability that is subsequently exploited can affect breach liability and coverage claims. The 14-day and 60-day timelines are widely used as private-sector patching benchmarks regardless of legal obligation.
How do I decide which KEV entries to patch first?
Apply three variables in order: exploitation recency and current campaign activity (recently added KEV entries cited in active campaigns targeting your sector are highest priority), asset exposure in your environment (internet-facing instances of the affected product score highest), and business impact of the affected asset (authentication systems, regulated data stores, and OT/ICS control systems score highest). The combination produces a four-tier queue: Patch Now, This Sprint, Scheduled, and Monitor.
What is EPSS and how do I use it alongside CISA KEV?
EPSS (Exploit Prediction Scoring System) is a model from FIRST.org that predicts the probability a CVE will be exploited in the next 30 days, scored from 0 to 1. For CVEs already in KEV, use EPSS as a recency signal, a KEV entry with an EPSS score above 0.5 indicates current high exploitation activity and scores higher than a KEV entry with a low EPSS score from a historical campaign. Get current EPSS scores at first.org/epss or via the FIRST API at api.first.org/data/v1/epss.
How quickly does CISA add CVEs to KEV after exploitation is confirmed?
CISA typically adds CVEs within days to weeks of confirmed exploitation evidence. High-profile zero-days with immediate mass exploitation are often added within 48 to 72 hours of public disclosure. Lower-profile exploitation may take weeks. Threat intelligence feeds, vendor advisories, and ISAC sharing often surface exploitation evidence faster than KEV. KEV represents the high-confidence confirmation floor, it is not the leading edge of exploitation awareness.
What do I do when KEV entries exceed my patching sprint capacity?
Sequence within tiers: prioritize internet-facing assets first, then authentication and identity infrastructure, then regulated data stores, then other systems. If the gap between available capacity and required patching volume is significant, escalate to your CISO with a written briefing quantifying the shortfall. Present the number of Patch Now or This Sprint items, your team's capacity in CVEs per sprint, and the specific systems that will remain unpatched. A CISO informed of the gap can authorize compensating controls or emergency contractor support.
How do I integrate CISA KEV into my existing vulnerability management tool?
Tenable Nessus, Qualys VMDR, and Rapid7 InsightVM all support CISA KEV status as a native filter. Configure your scanner to surface KEV entries at the top of scan results independent of CVSS score. For a lightweight free integration, download the KEV JSON feed from cisa.gov weekly and cross-reference against your scan output by CVE ID. A weekly diff script that posts new KEV additions to Slack or email takes under 30 minutes to build and prevents missed additions between manual checks.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
