CISA Known Exploited Vulnerabilities Catalog


In an effort to reduce the significant risk posed by known exploited vulnerabilities, late last year the Cybersecurity & Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01, “for the purposes of safeguarding federal information and information systems.”

Binding Operational Directive 22-01

This directive establishes a catalog of Known Exploited Vulnerabilities (KEVs) that highlight vulnerabilities that require immediate remediation due to reliable evidence that the exploits are being actively used in the wild. The required actions, after issuance and periodic updates to KEVs, ensures that agencies adhere to remediation policies, procedures and reporting requirements for compliance.


Remediation requirement deadlines can span from the immediate (now) to multiple months in the future (6 months from now). Early identification of KEVs, through a combination of online real-time threat intelligence and machine learning-base prediction, has the ability to give agencies more time to act. When CISA published the catalog of known exploited vulnerabilities, we looked to see how well our system identified these KEVs. The results were the following:

  • 89% of the catalog identified early
  • 41.5% of the catalog identified early by prediction technology alone
  • 47.5% of the catalog identified by threat intelligence

More Time to Remediate

The results show an overwhelming impact for federal agencies, partners and outside enterprises, giving them more time to remediate. On average, CVEs were identified by NorthStar 487 days before they appeared on the KEVs list.

While some vulnerability technologies provide a wide range of prediction probability, NorthStar is the industry’s only categorial yes/no vulnerability prediction, providing a definitive assessment on whether a CVE will be exploited in the wild.

Early Warning System

We’re tracking all KEV catalog updates, identifying if CVEs were found early and what technology, if any, was used for the early identification (threat intelligence or exploit prediction). Keep this handy to determine if you’re  existing vulnerability tools are keeping up with the most recent additions to the catalog.

For more information on vulnerability exploit prediction, click here.