The CISA Known Exploited Vulnerabilities catalog has done more to reshape vulnerability management programs than any other public data source launched in the past decade. It is short, curated, authoritative, and comes with deadlines. In 2025 and 2026 the catalog continued to grow, and the operational expectations it sets have tightened. This post is a senior-engineer analysis of what the catalog looks like now and what the growth implies for defenders.
How has the KEV catalog grown since launch?
CISA launched the KEV catalog in November 2021 under Binding Operational Directive 22-01, which requires federal civilian agencies to remediate listed vulnerabilities within prescribed timelines. The initial catalog listed several hundred entries; public CISA publications and third-party trackers have documented steady growth since then, with hundreds of additions per year on average.
The growth rate has been relatively steady rather than exponential. CISA adds entries based on evidence of active exploitation, which provides a natural rate limit compared to published CVE counts. The ratio of KEV entries to total new CVEs is small by design: the catalog is a curated signal, not a comprehensive list of vulnerable software.
What has changed more than the absolute count is the distribution. The catalog increasingly includes vulnerabilities in network edge devices, identity providers, and cloud services alongside traditional operating systems and productivity applications. The distribution reflects where attackers are getting value, and defenders should structure their programs accordingly.
How Safeguard.sh Helps
Safeguard.sh ingests KEV updates continuously and maps them against SBOM-reconciled inventories of your deployed software. Griffin AI escalates KEV findings automatically, Lino compliance tracks remediation SLAs against the BOD 22-01 cadence, and container self-healing rebuilds and redeploys affected images where policy allows. 100-level dependency depth catches KEV findings in transitive components that shallow scanners miss.
What do 2025 and 2026 additions tell us about attacker focus?
Several patterns stand out. Network edge devices, particularly firewalls, VPN concentrators, and secure-access appliances, continued to draw a disproportionate share of entries. Public incident reporting and threat-intelligence research from vendor teams consistently link these devices to initial-access and persistence activities, and CISA's KEV additions echo the pattern.
Identity infrastructure remained a steady source of KEV entries, with authentication systems, directory services, and SSO gateways continuing to appear. The pattern is consistent with the multi-year emphasis on identity-focused attacks; compromised identity provides persistent access that is hard to evict, making identity bugs high-value targets.
Productivity software remained present, particularly document-handling, browser, and mail components. Zero-day activity in these categories shows up quickly in KEV because exploitation is often widespread once a campaign starts. Defenders should treat these categories with the urgency the catalog implies rather than the severity CVSS alone suggests.
How Safeguard.sh Helps
Safeguard.sh aligns KEV priorities with your actual exposure. Griffin AI applies reachability analysis to KEV findings, which separates "vulnerable because the library is present" from "vulnerable because the path is reachable in production." Lino compliance documents remediation rationale for both cases, TPRM surfaces KEV exposure in supplier components, and SBOM lifecycle keeps the inventory current for network edge and identity infrastructure as well as application stacks.
How are federal agencies performing against BOD 22-01 timelines?
Public reporting on federal remediation performance shows steady but uneven progress. CISA and GAO reports document agencies meeting the majority of their KEV timelines while continuing to miss a subset, often in legacy systems where patching requires coordination across mission-critical workflows. The pattern has improved year over year, but complete compliance remains elusive.
The federal experience is informative for enterprises because it illustrates the challenge of applying a fixed timeline across a heterogeneous estate. Agencies with active modernization programs hit timelines consistently; agencies with high legacy exposure struggle. The same pattern replays in enterprises: workloads that are modernized and automated remediate quickly, while older workloads miss deadlines that look reasonable on paper.
The enterprise takeaway is not to copy BOD 22-01 deadlines uncritically, but to adopt the principle. Commit to specific remediation windows for KEV findings, measure performance against them, and treat misses as signals about which workloads need modernization investment.
How Safeguard.sh Helps
Safeguard.sh tracks KEV remediation performance by workload, flagging estate segments where the gap between timeline and actual remediation is widening. Griffin AI prioritizes the workloads most likely to miss SLAs, container self-healing automates remediation for policy-allowed fixes, and Lino compliance produces the dashboards and audit trails that leadership and regulators expect. Enterprise programs get BOD 22-01-style discipline without heroics.
How does KEV interact with EPSS and CVSS in modern programs?
The 2026 consensus is that KEV, EPSS, and CVSS each play a distinct role. KEV is the highest-priority signal because exploitation is confirmed. EPSS, published by FIRST, provides a continuously updated probability of exploitation within thirty days and covers the broader CVE population. CVSS provides a severity baseline but, on its own, correlates poorly with real-world exploitation risk.
Mature programs combine the three. KEV findings receive immediate attention; EPSS-high findings receive near-term attention; CVSS-high findings receive attention as capacity allows, filtered by reachability and business context. The combination scales; any one of the three alone does not.
Research on prioritization, including publications from FIRST, academic studies, and vendor benchmarks, consistently supports the combined approach. Programs that adopted KEV plus EPSS plus reachability in 2024 and 2025 are measurably ahead of programs still prioritizing on CVSS alone, and the gap is visible in audit findings, incident rates, and engineer satisfaction.
How Safeguard.sh Helps
Safeguard.sh integrates KEV, EPSS, reachability, and CVSS into a single Griffin AI score. Teams see a prioritized, explainable list of findings aligned with the frameworks regulators and boards accept. Lino compliance documents the prioritization logic for audits, and container self-healing acts on the top tier automatically. Programs consolidate on one prioritization model rather than maintaining three parallel ones.
How are commercial sectors adopting KEV beyond the federal mandate?
KEV adoption has expanded well beyond federal civilian agencies. Regulated industries, including banking, healthcare, and critical infrastructure, increasingly reference KEV in their vulnerability management policies and procurement expectations. Published industry frameworks and vendor risk questionnaires now ask for KEV mean time to remediate explicitly, and organizations that cannot produce the metric are visibly disadvantaged.
Cloud providers and major software vendors have also adopted KEV internally as a prioritization signal for their own patching and service management. The visible alignment of public cloud and major SaaS vendors with KEV makes it easier for enterprise customers to expect the same discipline from other suppliers, which shifts KEV from government directive to industry norm.
The practical implication is that KEV metrics are now a buying consideration. Vendors that can document KEV compliance in their own software and services have a competitive advantage in procurement. Enterprises that can document KEV compliance across their estate have a stronger position in audits, customer trust assessments, and cyber insurance negotiations.
How Safeguard.sh Helps
Safeguard.sh gives every customer the KEV discipline that federal directive and industry expectation now require. Griffin AI, Lino compliance, SBOM lifecycle, TPRM, 100-level dependency depth, and container self-healing together produce the measurable KEV mean time to remediate that regulators, auditors, insurers, and customers expect. The metric becomes a program KPI rather than a manual calculation each quarter.
What are the common misses in KEV programs?
Three failure modes show up consistently. First, inventory gaps. A KEV program is only as good as the underlying inventory of deployed software. Organizations with incomplete SBOM coverage, stale CMDBs, or unmanaged shadow IT routinely miss KEV findings because the affected components were not known to exist in the environment.
Second, transitive blindness. KEV entries often affect popular libraries that appear deep in dependency trees. Shallow SCA tools that stop at a few levels of depth miss these findings entirely. The xz-utils case was an early and visible example, but the pattern continues.
Third, supplier neglect. Many KEV findings involve third-party software that the enterprise consumes but does not develop. Programs that focus exclusively on internally developed applications miss the largest share of KEV-relevant exposure, which is typically in commercial and open source software running in the environment.
How Safeguard.sh Helps
Safeguard.sh addresses all three failure modes directly. SBOM lifecycle maintains a reconciled inventory across development and procurement, 100-level dependency depth traverses the transitive chain that shallow scanners miss, and TPRM extends KEV coverage to supplier components. Griffin AI surfaces the misses the rest of the program would hide, and Lino compliance documents the complete program for audit.
What should a vulnerability lead do about KEV in 2026?
Commit to three KPIs and publish them. KEV mean time to remediate at the 50th and 95th percentiles, percent of KEV findings in supplier components remediated within contract SLAs, and percent of deployed software covered by an up-to-date, reconciled SBOM. These three metrics tell leadership everything they need to know about program maturity and align with how regulators and insurers evaluate programs.
Align internal SLAs with BOD 22-01 as a reference point, adjusting for business context. If certain workloads cannot meet federal timelines, document why, and use the gap as the business case for modernization investment rather than a compliance exception that quietly becomes permanent.
Finally, close the inventory gap. Most KEV program failures trace back to not knowing what is deployed. SBOM generation, reconciliation against runtime, and ingestion from suppliers are the underlying controls that make the rest of the program work. Invest there first, and the KEV KPIs will improve as a consequence rather than as an isolated effort.
How Safeguard.sh Helps
Safeguard.sh ships the metrics, the inventory, and the enforcement in one platform. Griffin AI drives KEV prioritization with reachability and exploitability, Lino compliance tracks SLAs against BOD 22-01 discipline, SBOM lifecycle and TPRM close the inventory gap across internal and supplier software, 100-level dependency depth catches transitive KEV exposure, and container self-healing automates the remediation loop. Vulnerability leads get measurable KEV outcomes and the audit evidence to match.