Known Exploited Vulnerabilities Catalog


In an effort to reduce the significant risk posed by known exploited vulnerabilities, late last year the Cybersecurity & Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01, “for the purposes of safeguarding federal information and information systems.”

This directive establishes a catalog of Known Exploited Vulnerabilities (KEVs) that highlight vulnerabilities that require immediate remediation due to reliable evidence that the exploits are being actively used in the wild. The required actions, after issuance and periodic updates to KEVs, ensures that agencies adhere to remediation policies, procedures and reporting requirements for compliance.

Remediation requirement deadlines can span from the immediate (now) to multiple months in the future (6 months from now). Early identification of KEVs, through a combination of online real-time threat intelligence and machine learning-base prediction, has the ability to give agencies more time to act. When CISA published the catalog of known exploited vulnerabilities, we looked to see how well our system identified these KEVs. The results were the following:

  • 89% of the catalog identified early
  • 41.5% of the catalog identified early by prediction technology alone
  • 47.5% of the catalog identified by threat intelligence

The results show an overwhelming impact for federal agencies, partners and outside enterprises, giving them more time to remediate. On average, CVEs were identified by NorthStar 487 days before they appeared on the KEVs list.

While some vulnerability technologies provide a wide range of prediction probability, NorthStar is the industry’s only categorial yes/no vulnerability prediction, providing a definitive assessment on whether a CVE will be exploited in the wild.

For more information on vulnerability exploit prediction, click here.