The KEV Paradox
Everyone Has Known Exploited Vulnerabilities and Yet KEV Is a Tiny Fraction of the Problem.
Most security leaders have (rightly) adopted the CISA Known Exploited Vulnerabilities (KEV) catalog as a core input to vulnerability remediation. KEV is high-signal: a curated list of vulnerabilities with credible evidence of exploitation, often paired with clear remediation actions and organizational urgency.
But the moment you look at the data quantitatively, a paradox appears:
Nearly everyone has KEVs even though KEVs represent only ~1% of the open vulnerability backlog.
That paradox is what makes KEV both necessary and insufficient as a standalone prioritization system. How do we know? In 2022, Cisco, Kenna and Cyentia’s Prioritization to Prediction (P2P), Vol. 9 analyzed KEV prevalence using Kenna Vulnerability Management data across 9.6 million active assets and 637.5 million vulnerability instances.
When you measure prevalence across organizations, KEV is nearly universal:
98.3% of organizations have ever seen a KEV CVE.
96.2% of organizations still have a KEV CVE open.
Yet KEVs represented only 2.4% of all vulnerabilities ever found, and only ~1.0% of vulnerabilities still open at the time of measurement (815 million vulnerabilities total).
On an asset basis, 36.0% of assets had ever been affected by a KEV vulnerability, and 21.5% of assets were still affected.
This is not a contradiction. It’s a distribution problem:
KEVs are “wide” (they show up in almost every environment).
KEVs are not “deep” (they are a small fraction of total findings and backlog volume).
1% of open vulnerabilities out of a sample of 635 million are on the KEV list as of 2022.
2026 update: KEV has grown — but the exploited universe is far larger
Two updates make the “KEV is necessary but insufficient” conclusion even more important in 2025:
The KEV catalog has roughly doubled since early 2022.
It now contains 1,477 entries (as currently listed in the catalog UI).The exploited-CVE universe is orders of magnitude larger than KEV.
Empirical’s exploitation monitoring tracks 17,000+ exploited CVEs (based on observed exploitation activity).
A simple upper-bound calculation makes the point: Even if every KEV entry overlapped perfectly with Empirical’s exploited-CVE universe (it doesn’t), KEV would cover at most: 1,477 / 17,000 ≈ 8.7% of exploited CVEs.
And the exploitation problem isn’t slowing down: recent Empirical work reports 12.3K CVEs with exploitation activity in the past 12 months, while exploitation is not observed for roughly ~94% of published vulnerabilities. That’s exactly why prioritization matters: exploitation is rare, but still far too large to manage with a single curated list.
CISO takeaway: KEV is a compliance baseline, not a prioritization system
KEV is the right place to start because it produces fast wins and supports policy compliance. But the math is unambiguous:
KEV ≠ exploited risk.
KEV is high-signal but low-coverage.
Treating KEV as the only prioritization input guarantees you’ll miss the majority of exploited CVEs.
A simple practical operating model is a three-layer system:
Layer 1 — KEV (mandatory / fast wins):
Track KEV SLAs, time-to-remediate. Recency matters, so don’t set a fast SLA for something that was placed on the KEV a year ago unless you have recent exploitation evidence.
Layer 2 — Exploitation reality beyond KEV:
Prioritize vulnerabilities with observed exploitation activity that are present in your environment — regardless of whether they appear on KEV.
Layer 3 — Predictive triage for the firehose:
Use probabilistic and predictive scoring (e.g., EPSS) to catch what’s likely to be exploited next, before it becomes tomorrow’s incident.
Empirical can quantify your exposure and your remediation performance against both (a) KEV and (b) real-world exploitation activity, and compare you to peer cohorts.
Our custom benchmark reports help you answer, with data:
How many KEVs are open (and for how long)?
What fraction of your environment contains exploited vulnerabilities that are not on KEV?
Are you improving your “exploited exposure” faster than your peers — or falling behind?
Reach out if you want a deep dive into your own data.
