The Known Exploited Vulnerabilities Catalog (KEV) is a database published by the US Cybersecurity and Infrastructure Security Agency (CISA) that serves as a reference to help organisations better manage vulnerabilities and keep pace with threat activity.
Since its first publication in 2021, it has gone beyond its US federal agency scope and has been adopted by various organisations across the globe as guidance for their vulnerability management prioritisation frameworks.
The reason for this is two-fold and lies in effective vulnerability management and how the KEV entries are curated.
What is vulnerability management?
Vulnerability management is a continuous process to keep systems up to date against a consistent stream of emerging threats. Deciding on what to patch and how to patch requires a decision process on what vulnerabilities pose the greater risk, what patches lower that risk, and repeating it over all vulnerabilities of interest until a consensus over the patching order…
