Threat Intelligence

CISA KEV, NVD, and Threat Intel Feeds: What to Trust for Exploit Prioritization

James Calvo · · 10 min read
Abstract threat intelligence data streams visualization

Before joining Vendrsec I spent five years in threat intelligence — maintaining CVE-to-campaign correlation databases, writing detections from malware analyses, and occasionally being the person who had to tell a security team that the CVE they'd deprioritized was now showing up in active ransomware toolkits. That last scenario is what motivates this piece.

The quality of your exploit intelligence directly determines whether your prioritization model catches the right findings before they get exploited. But not all exploit intelligence sources are created equal. CISA KEV, NVD CVSS data, commercial TI feeds, and EPSS each have distinct characteristics — coverage breadth, publication latency, false positive rate, and update frequency — that determine when and how they should inform your remediation decisions.

NVD: the baseline, not the signal

The National Vulnerability Database is the reference record for published CVEs. NVD enriches each CVE with CVSS scores (both Base Score and, where available, a CVSS Vector String with all submetrics), CWE classification, and affected product/version mappings in CPE format. For most organizations, NVD is the data source their scanners use to match installed software versions to known vulnerabilities.

NVD is a reference corpus, not an operational threat intelligence feed. It tells you about a vulnerability's properties when it was published. It doesn't tell you whether exploitation activity has occurred in the wild since publication. A CVE that appeared in NVD in 2021 with CVSS 9.1 but has never been exploited in a real attack looks identical to NVD as one that's been used in 200 confirmed incidents. From an operational prioritization standpoint, these require very different responses.

A practical NVD limitation that matters for prioritization: NVD analysis scores (the enriched CVSS data) can lag CVE publication by days to weeks, particularly for high-volume vulnerability disclosure periods. During major disclosure events — a widely exploited library vulnerability, a vendor patch Tuesday batch — NVD's enrichment queue backs up. Your scanner may be reporting CVEs before NVD has analyzed and scored them, leaving score-dependent prioritization with gaps.

CISA KEV: the highest-confidence exploit signal available publicly

The CISA Known Exploited Vulnerabilities catalog was established under Binding Operational Directive 22-01 in November 2021. It's maintained as a machine-readable JSON catalog of CVEs that CISA has confirmed are being actively exploited in the wild. Federal civilian executive branch agencies have mandatory remediation deadlines (typically 2 weeks for critical, 6 months for less critical) for KEV-listed vulnerabilities. For the broader private sector, KEV is authoritative in a softer sense: it's CISA's public statement that these CVEs have crossed from theoretical to confirmed exploitation.

KEV's strengths: high-confidence entries. CISA only adds CVEs with confirmed evidence of active exploitation — not just proof-of-concept code existence or theoretical exploitability. The catalog is updated multiple times per week and the JSON API makes automated ingestion straightforward. Coverage across vendor types is reasonably broad — network devices, enterprise software, operating systems, web applications.

KEV's limitations: coverage is incomplete by design. CISA focuses on CVEs that affect federal agency infrastructure and that meet their relevance criteria. Private-sector-targeted exploitation campaigns often involve CVEs that don't surface in KEV because the targets are commercial entities without CISA reporting requirements. The catalog is also inherently reactive — KEV addition typically lags initial observed exploitation by days to weeks. The 2021-2022 Log4Shell crisis showed how KEV additions can trail initial exploitation velocity during fast-moving disclosure events.

Our recommendation: KEV membership should be a hard override in your prioritization model. A KEV-listed CVE in your environment moves to the top of the queue regardless of CVSS tier. It's not a factor to be weighted against other factors — it's a binary escalation signal.

EPSS: probability-based prioritization at scale

The Exploit Prediction Scoring System (EPSS) was developed by FIRST and is now on its third major version. Where CVSS measures a vulnerability's intrinsic properties, EPSS estimates the probability that a given CVE will see exploitation activity in the next 30 days, based on historical exploitation data, vulnerability characteristics, and current threat intelligence signals.

EPSS scores are published daily for every CVE in NVD and are freely accessible via FIRST's API. The practical value: EPSS identifies CVEs with high exploitation probability that might have moderate CVSS scores, and conversely, identifies CVEs with high CVSS scores but historically low exploitation rates.

Research published alongside EPSS v3 found that roughly 4-7% of CVEs published in any given year will see meaningful exploitation activity within 12 months. EPSS concentrates its attention on that tail — a CVE scoring 0.8+ on EPSS has characteristics consistent with CVEs that have historically been exploited rapidly after publication. The bulk of NVD CVEs score below 0.05 on EPSS, indicating low observed exploitation interest from threat actors.

We're not saying EPSS should replace CVSS in your model — the two measure different things and both contribute signal. CVSS tells you the severity of a successful exploitation. EPSS tells you how likely exploitation is to occur. A CVE scoring low on EPSS but high on CVSS is genuinely dangerous if it's reachable in your environment — the exploit just hasn't been weaponized yet. The combined picture is more useful than either metric alone.

Commercial threat intelligence feeds: campaign context

Paid threat intelligence platforms — I won't name specific vendors here, but most security teams in the 500–5,000 employee range are evaluating 2-3 options — provide a richer exploitation context than any public source: actor attribution, campaign targeting patterns (which industries are being targeted by which CVE exploits), time-to-weaponization data (how quickly after CVE publication did exploit code appear in observed attacks), and dark web monitoring for CVE-specific exploit kit listings.

The signal quality from commercial feeds is generally higher than public sources, and their timeliness advantage over KEV can be significant — commercial feeds sometimes detect active exploitation campaigns days before CISA publishes a KEV entry, precisely because they're monitoring threat actor infrastructure and dark web forum activity rather than waiting for confirmed federal agency incidents.

The cost-benefit tradeoff is real. For a 3-person security team managing 1,500 assets, a full commercial TI platform subscription may not be justified given the cost. In practice, a combination of CISA KEV (free, high-confidence), EPSS (free, daily updates), and selective monitoring of CISA advisories and vendor security bulletins covers most of the operational signal you need for effective prioritization — with commercial feeds adding marginal value for environments where advanced persistent threats are a realistic concern.

How Vendrsec integrates multiple feed sources

In the Vendrsec scoring model, exploit intelligence contributes to the risk score through a three-tier hierarchy:

Tier 1 — Confirmed exploitation (CISA KEV membership or equivalent confirmed-exploitation signal): Hard multiplier applied. Findings with this signal move to the top of the prioritized queue regardless of other factors.

Tier 2 — High exploitation probability (EPSS score above threshold, typically 0.5+, or commercial feed active-campaign signal): Significant weight added to the composite risk score. These findings warrant expedited remediation SLA windows.

Tier 3 — Exploit code publicly available (Metasploit module, GitHub PoC, ExploitDB listing) but no confirmed in-wild exploitation: Moderate weight. Exploit availability substantially increases risk relative to no-exploit-known, but doesn't carry the confirmed-exploitation urgency of Tier 1.

No exploit signal known: baseline CVSS weight applies. The vulnerability is real but statistically unlikely to see exploitation activity in the near term based on historical patterns. Still requires remediation — but the SLA window is longer and the urgency level is appropriately reduced.

The latency problem: when feed timing matters

A scenario that illustrates why feed latency matters: a critical CVE drops on a Monday morning. Proof-of-concept code appears on GitHub by Tuesday afternoon. CISA KEV entry is published Thursday. Commercial threat intelligence feeds detect active exploitation campaigns Friday morning. By the weekend, multiple ransomware groups have integrated the exploit into their toolkits.

An organization running weekly scans with KEV-only intel ingestion won't see this CVE elevated in their prioritization queue until their next scan cycle runs after the KEV publication. That's potentially a 3-4 day window where the CVE exists in their environment, is being actively exploited in the wild, and is not in their urgent remediation queue.

This is why Vendrsec processes exploit intelligence feeds continuously, not just at scan time. When a new KEV entry publishes or a significant EPSS shift occurs for a CVE already in your finding inventory, the affected findings are immediately re-ranked. You don't need to wait for the next scan cycle to know that something changed in the threat landscape for a CVE already on your radar. For the scenario above, your team would see the EPSS escalation signal on Tuesday when PoC code appears — well ahead of the KEV Thursday confirmation — giving you a 48-hour head start on remediation.

See these principles in action