There is a clear difference between organizations that react to cyberattacks and those that anticipate them. The former wait for something to go wrong; the latter already know what they’re going to patch before the attacker comes knocking.

One of the tools that sets them apart from one another is the CISA’s KEV catalog (Known Exploited Vulnerabilities), a resource that, when used properly, can completely change the way a company manages its vulnerabilities.

 

What Is CISA’s KEV Catalog, and Why Does It Matter?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintains a public list of vulnerabilities that are already being actively exploited by malicious actors. These are not theoretical flaws or hypothetical risks; they are real vulnerabilities, with evidence of their use in actual attacks.

The catalog of known exploited vulnerabilities It is updated continuously. Every time CISA adds a new entry, it is issuing a warning. Therefore, for any security team, this catalog is not just a technical reference, but a list of priorities that should not be ignored.

A signal that extends beyond U.S. borders

Although the directive requiring action on this catalog, the Binding Operational Directive (BOD) 26-04, primarily affects U.S. federal civilian agencies, its usefulness knows no bounds. Any company, regardless of size or industry, can use CISA’s KEV catalog as a guide to decide which vulnerabilities to address first.

The underlying message is simple: if malicious actors are already exploiting a vulnerability, that vulnerability moves to the top of the list, ahead of others with higher CVSS scores but no evidence of active exploitation.

 

The Problem with Setting Priorities Without Real Data

One of the most common pitfalls in vulnerability management is relying solely on the severity score. The CVSS system assigns a numerical score to each vulnerability, which is useful but incomplete.

Theoretical Severity vs. Actual Risk

A vulnerability with a CVSS score of 9.8 may go months without being actively exploited. Meanwhile, another flaw with a CVSS score of 6.5 is already being used by ransomware groups to compromise production systems. If the security team prioritizes its backlog solely by severity, it may be devoting resources to the wrong problem.

This is where the KEV catalog offers something that CVSS cannot: real-world exploitation contextl. Knowing that a vulnerability is being exploited right now immediately changes its priority, regardless of its score.

Volume as an Obstacle

The volume of threats continues to grow exponentially; in 2025 alone, more than 48,000 new vulnerabilities (CVEs) were published. According to industry analyses, this represents an all-time high, equivalent to discovering an average of 132 new security flaws every day. No security team can patch them all at the same rate they appear. Prioritization is the only way to stay afloat.

The KEV catalog acts as a filter: from among those tens of thousands of vulnerabilities, it identifies those for which there is reliable evidence of active exploitation. This transforms an unmanageable list into something actionable.

 

How More Mature Organizations Use the KEV Catalog

Organizations with a stronger security posture do not treat the KEV catalog as a simple to-do list. Instead, they integrate it into an ongoing process of identification, assessment, and response.

Continuous monitoring of the catalog

Catalog updates are frequent and sometimes urgent. In June 2026, for example, CISA added two new vulnerabilities: a path traversal in Cisco Catalyst SD-WAN Manager and a symbolic link tracking vulnerability (symbolic link following) in the LiteSpeed plugin in cPanel. Both already had evidence of active exploitation at the time they were included.

Organizations that detected these additions immediately were able to take action before the problem spread. Those that did not have an alert system for KEV catalog updates found out later—or not at all.

Cross-referencing the catalog with one’s own knowledge

Knowing that a vulnerability exists in a specific product is only useful if you know whether that product is present in your own environment. That is why the best-prepared companies continuously cross-reference entries in the KEV catalog with their asset inventory.

This process, which is part of what is known as Continuous Threat Exposure Management, allows us to answer a specific question: Is there anything nearby that’s on the CISA list?

Consider the context before taking action

Not all vulnerabilities in the KEV catalog affect every environment in the same way. A flaw in a product that the organization does not use is, for all practical purposes, irrelevant. But a flaw in a critical system exposed to the internet requires an immediate response.

The most advanced organizations don’t just detect vulnerabilities—they put them into context. They assess whether the affected asset is exposed, what data it handles, what impact its compromise would have, and what mitigation options exist beyond the patch (which sometimes cannot be applied immediately without disrupting operations).

You might be interested in:> Real-Time Vulnerability Management: A Step Forward in Cybersecurity.

 

CTEM: The Framework That Brings It All Together

CTEM This approach makes it possible to turn CISA’s KEV catalog into something actionable within an organization. It’s not about conducting a vulnerability assessment once a year; it’s about maintaining constant visibility into the attack surface and taking action commensurate with the actual risk.

This approach structures the process into five phases: scope definition, asset and vulnerability discovery, prioritization based on actual risk, validation, and mobilization for remediation. The KEV catalog directly feeds into the prioritization phase.

 

Kartos and Qondar: Cyber Surveillance Focused on Actual Risk

At Enthec, we have developed two cyber surveillance solutions designed specifically within this CTEM framework. Kartos, aimed at businesses, provides continuous visibility into an organization’s external exposure, detecting compromised assets, leaked credentials, exploitable vulnerabilities, and active threats before they result in an incident.

Qondar offers the same features, but for individual users, protecting the digital identities of people exposed to specific risks.

Both solutions integrate threat intelligence sources to provide contextualized and prioritized alerts. The goal is not to create a fuss, but to highlight what really matters at any given moment.

Would you like to know your organization’s actual exposure? Contact us and find out what an attacker sees when searching for vulnerabilities in your company.

CISA’s KEV catalog is one of the most valuable and accessible threat intelligence tools available today. Its value lies not in the volume of entries, but in the quality of the intelligence it provides. These vulnerabilities are not theoretical; they are the ones attackers are exploiting right now.

Organizations that know how to leverage the catalog of known exploited vulnerabilities as part of a continuous exposure management process have a real advantage over those that manage security reactively. The difference isn’t in having more tools, but in knowing what to look for and when to act.

And in cybersecurity, that is what separates those who contain incidents from those who fall victim to them.