The KEV list is useful but largely misunderstood. KEVology explains what it is, and how best to use it.

CISA’s KEV Catalog, more commonly known as the KEV list, emerged with the issue of BOD 22-01 in November 2021. This catalog, currently a list of just over 1,500 vulnerabilities known to have been exploited in the wild, suggests a high value prioritization source for vulnerability remediation within industry. It can be, but is not automatically so. It has two limitations: range and detail.

The cybersecurity of business is not the function of CISA. CISA’s remit is to raise the security of FECB agencies, and KEV is a notification to FECB agencies of those vulnerabilities that are both urgent (already being exploited) and fixable (basically, have a vendor patch).

Curating a list that contains these necessities requires a strict set of conditions which will inevitably exclude more vulnerabilities than it includes. This is the range limitation. The second limitation is that each KEV entry is sparse on detail, making it difficult to prioritize the order in which to remediate.

Tod Beardsley, currently VP of Security Research at runZero (and formerly CISA KEV section chief) has written a paper simply titled ‘KEVology’. It is designed to help security teams understand KEV, and how best to use it.

Beardsley explained CISA’s KEV and his KEVology paper to SecurityWeek. “To be included in the KEV,” he said, “a vulnerability must have the four qualities defined in BOD 22-01. Firstly, it must have a CVE number – so a super fresh zero-day will not make it into KEV.”