BETA Launching April 2026 — 25% off for early access! Request Demo
All articles
CISA KEV vulnerability management compliance NIS2 cybersecurity

What Is the CISA KEV Catalog and Why Your Business Should Track It

The CISA Known Exploited Vulnerabilities catalog lists CVEs actively used in cyberattacks. Learn what KEV is, how it differs from the NVD, and why tracking it is essential for NIS2 and DORA compliance.

Denis Sota · · 5 min read

Every day, the National Vulnerability Database publishes dozens of new CVEs. As of early 2026, there are over 250,000 known vulnerabilities cataloged. If you run even a modest IT environment — say, 100 endpoints with standard business software — a full vulnerability scan might flag thousands of issues.

The question every IT manager and CISO asks: where do I start?

The CISA KEV: A curated list of what attackers actually use

In November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched the Known Exploited Vulnerabilities (KEV) catalog. Unlike the NVD, which catalogs all known vulnerabilities regardless of whether anyone has ever exploited them, the KEV catalog only includes CVEs that meet three strict criteria:

  1. The vulnerability has a CVE ID — it’s been formally cataloged
  2. There is reliable evidence of active exploitation — not theoretical risk, but confirmed in-the-wild attacks
  3. There is a clear remediation action — a patch, update, or mitigation exists

As of February 2026, the KEV catalog contains approximately 1,484 entries. That’s roughly 0.6% of all known CVEs. This tiny fraction represents the vulnerabilities that threat actors — from ransomware gangs to nation-state groups — are actively using to breach organizations right now.

KEV vs. NVD vs. CVSS: understanding the difference

SourceWhat it tracksSizeUpdate frequency
NVD (NIST)All known CVEs with CVSS scores250,000+Daily (but backlog issues in 2024-2025)
CISA KEVOnly actively exploited CVEs~1,4842-5 new entries per week
CVSSSeverity score (0-10)N/A (scoring system)Per-CVE basis

Here’s the critical insight: a CVSS 9.8 vulnerability that nobody exploits is less urgent than a CVSS 7.5 vulnerability that ransomware gangs are using today. The KEV catalog provides this real-world exploitation context that CVSS alone cannot.

Who must track KEV vulnerabilities?

Legally mandated

  • U.S. Federal agencies: CISA’s Binding Operational Directive 22-01 (BOD 22-01) requires all Federal Civilian Executive Branch agencies to remediate KEV vulnerabilities within strict deadlines — typically 14 days for internet-facing systems
  • EU organizations under NIS2: The NIS2 Directive (effective October 2024) requires “essential” and “important” entities to implement vulnerability handling procedures. While NIS2 doesn’t name KEV specifically, the KEV catalog has become the de facto standard for demonstrating “vulnerability handling” during audits
  • Financial institutions under DORA: The Digital Operational Resilience Act requires financial entities to maintain ICT vulnerability management. KEV tracking demonstrates compliance with DORA’s vulnerability management requirements
  • Any organization managing IT infrastructure
  • Managed Service Providers (MSPs) responsible for client environments
  • Companies pursuing ISO 27001 certification (Annex A control A.12.6: Technical Vulnerability Management)

How to track KEV vulnerabilities (three approaches)

Approach 1: Manual (free, but painful)

Download the KEV JSON feed from CISA, import it into a spreadsheet, cross-reference against your software inventory. Repeat weekly. This works for very small environments but doesn’t scale and is error-prone.

Approach 2: Add KEV to your existing scanner

Qualys, Tenable, and Rapid7 all offer KEV filtering. The downside: these tools cost €15,000-50,000/year and require significant infrastructure (network scanners, credentials, firewall rules). For a large enterprise, this makes sense. For an SMB with 50-500 endpoints, it’s overkill.

Approach 3: Use a dedicated KEV tracking tool

This is the approach that makes the most sense for small and mid-sized organizations. A tool that focuses specifically on KEV tracking can automate the entire process: sync the catalog daily, match it against your software inventory, alert you when new matches are found, and generate compliance reports.

SentriKat was built for exactly this use case. It syncs the CISA KEV catalog daily, matches it against your software inventory using multi-method CVE matching (CPE identifiers, vendor+product combinations, and keyword analysis), and provides compliance reporting for NIS2, DORA, and BOD 22-01 — all deployed on your own infrastructure.

The ransomware connection

One of the most valuable fields in the KEV catalog is the ransomware flag. CISA indicates whether each vulnerability is “Known to Be Used in Ransomware Campaigns.” As of early 2026, roughly 20% of KEV entries carry this flag.

Why this matters: if a vulnerability in your environment is marked as used in ransomware campaigns, the urgency isn’t theoretical. Ransomware groups actively scan for these exact vulnerabilities. The average cost of a ransomware attack for an SMB ranges from €50,000 to €500,000 — far more than any vulnerability management tool.

Getting started

The CISA KEV catalog is publicly available at cisa.gov/known-exploited-vulnerabilities-catalog. You can download it as JSON or CSV. Start by cross-referencing it against your most critical systems.

For automated tracking with compliance reporting, request a demo of SentriKat — our on-premises platform that makes KEV management effortless for organizations of any size.

SentriKat is a Swiss vulnerability management platform focused on CISA Known Exploited Vulnerabilities. It deploys on-premises with Docker and generates NIS2 Article 21 compliance reports out of the box.

Ready to automate your vulnerability management?

Deploy SentriKat on-premises in minutes. Track CISA KEV vulnerabilities, generate NIS2 compliance reports, and protect your infrastructure.

Request a Demo
Discuss this article: Community Forum