While the Cybersecurity and Infrastructure Security Agency (CISA) originally created the Known Exploited Vulnerabilities (KEV) catalog for government use, it quickly became a vital dataset across the entire cybersecurity industry. As a government organization with strong official and unofficial connections across all industries, CISA has unparalleled access to exploit intelligence and can react quickly to the ever-changing vulnerability landscape, making KEV a powerful tool for creating a baseline and prioritizing the most critical vulnerabilities.

Since its inception in November 2021, CISA has added almost 1,100 vulnerabilities from over 170 vendors to the KEV. This raises an important question: what can we learn from this data? To analyze it, we will consider several data points. These include the average time it takes for a CVE to appear on the KEV list, when entries are added, and the balance of old and new vulnerabilities. In addition, we will identify the oldest and latest CVEs on the list (fun fact: the oldest CVE is old enough to drink in the US!). But the most significant question is what these statistics reveal about our progress as an industry.

In this talk, you and your cybersecurity teams will learn how to use the latest trends from the KEV to help make one of the most critical decisions in vulnerability management: prioritization. By understanding what is being exploited in the wild, you can better focus on remediation efforts for real-world attacks. You can improve your vulnerability-management programs with data-driven techniques.