On November 2, 2023, CISA added CVE-2023-46604 (Apache ActiveMQ remote code execution) to the Known Exploited Vulnerabilities catalog. Ransomware groups including HelloKitty had already weaponized it against unpatched servers worldwide. Federal agencies subject to BOD 22-01 had 15 days to remediate (internet-facing assets) or 25 days (other assets). Private-sector teams that were already monitoring the KEV catalog patched on October 24-25, sometimes with the new entry as the only justification needed for out-of-cycle change control. Teams that found out about KEV inclusion the following Monday from a vendor newsletter were already in their incident-response cycle.
The CISA Known Exploited Vulnerabilities (KEV) catalog is the single most actionable security feed produced by a US federal agency. Every entry is a CVE that CISA has confirmed is being exploited in the wild, and federal civilian agencies are required to remediate it within a defined window under BOD 22-01. For private-sector security teams, the KEV catalog is the closest thing to a "patch this first" list that exists. It cuts through the noise of CVSS scores, vendor advisories, and threat-intel hype to identify the vulnerabilities where attackers are actually working.
This guide covers how the KEV catalog is published, why it has become the de facto patch-prioritization signal for security teams, and how to set up a continuous monitor that turns new KEV additions into tickets within minutes of CISA publishing.
Quick Setup
Pick the vendors that matter to your stack (or skip for all CVEs) and PageCrawl will alert your team within minutes when CISA adds a new exploited vulnerability.
Why Monitor the KEV Catalog
A vulnerability appearing on KEV means there is confirmed active exploitation, not just theoretical risk. CISA does not add CVEs based on PoC code or vendor advisories alone; it adds them when there is evidence of in-the-wild use. That confirmation changes the operational picture in several ways.
Patch Prioritization With CISA Backing
KEV entries justify out-of-cycle patching even when CVSS scores are middling. A CVSS 7.5 with confirmed exploitation jumps every CVSS 9.8 with no known active use. For security teams negotiating change windows with operations, "CISA added this to KEV this morning" is a clean, defensible argument.
Compliance Evidence Across Frameworks
Many security frameworks reference KEV as a remediation trigger. BOD 22-01 makes it mandatory for federal civilian agencies. SOC 2, ISO 27001, PCI DSS, and FedRAMP audit programs increasingly reference KEV in scoping. Same-day awareness of additions, plus an archived monitoring history, supports cleaner audit trails.
Threat-Intel Context
New KEV entries often correlate with ransomware campaigns, edge-device exploitation, or initial-access broker activity. CISA flags ransomware association in the catalog metadata. Reading new KEV additions in context with public threat-intel reporting gives security teams a faster read on what attackers are using right now.
Vendor Accountability and Procurement Signal
Repeat KEV additions for the same vendor or product line are a procurement signal. When the same VPN, MFT, or identity product appears on KEV multiple times in a year, that pattern affects renewal and replacement decisions.
How CISA Publishes the KEV Catalog
The catalog lives at a stable URL with both an HTML page and downloadable JSON, CSV, and Schema.org JSON-LD exports:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csvCISA adds new vulnerabilities in batches, typically several times per week. Each entry includes the CVE identifier, vendor, product, vulnerability name, date added, short description, required action, due date for federal agencies (typically 15 days for internet-facing assets, 25 days for others), and a ransomware-use flag. The JSON feed exposes the same data in a machine-readable schema that fits cleanly into SOAR pipelines.
The NVD (National Vulnerability Database) is a complementary source. NVD entries land before KEV for most CVEs because KEV addition requires confirmed exploitation. Monitoring NVD's recent-additions feed gives you an earlier (lower-confidence) signal.
Comparing Monitoring Approaches
| Approach | Cost | Latency | Coverage | Best For |
|---|---|---|---|---|
| Manual CISA refresh | Free | Hours to days | Full catalog | One-person teams |
| CISA email subscription | Free | Same day | All additions | General awareness |
| Tenable / Qualys / Rapid7 | $50K+/year | Real-time | Comprehensive, integrated | Large enterprise vuln management |
| Vendor-specific advisories | Free | Variable, often delayed | Per-vendor | Single-vendor stacks |
| Threat-intel platforms (Recorded Future, Mandiant) | $50K+/year | Real-time | Comprehensive plus IOCs | Mature SOC programs |
| PageCrawl on KEV + NVD | Free tier to $80/year | 5-15 minutes | KEV catalog, configurable filtering | Most security teams, MSSPs, consultants |
CISA's email subscription is free and reliable for awareness, but it delivers the full daily batch as a digest, not a real-time push. For teams that want a ticket created within minutes of CISA publishing, page monitoring with webhook output is materially faster and cheaper than the enterprise vuln-management products.
Setting Up KEV Monitoring in PageCrawl
Step 1: Add the KEV catalog HTML page
Paste the catalog URL into PageCrawl as a content monitor. Use full-page text mode so additions to the table are detected. This is the page that drives most alerts.
Step 2: Mirror with the JSON feed
For machine-readable workflows, add the JSON URL as a second monitor. Webhook delivery from PageCrawl into a SOAR or ticketing system turns a CISA update into an automated ticket with the structured CVE data attached.
Step 3: Cross-reference with NVD recent additions
Add the NVD CVE database recent-additions page as a third monitor. NVD lists CVEs before they reach KEV, giving an earlier (lower-confidence) window into what may be added to KEV in the days that follow.
Step 4: Set frequent checks
KEV updates can land at any time during business hours. Hourly checks catch most additions within an hour; 15-minute checks (Standard plan) cover the rest. For teams under BOD 22-01, 15-minute frequency is the right choice.
Step 5: Configure webhooks to your SOAR
PageCrawl webhooks fire on every detected change. Route them into Tines, Cortex XSOAR, Splunk SOAR, or a custom Lambda that opens a Jira or ServiceNow ticket with the CVE, vendor, product, and required action pre-filled.
Step 6: Configure notifications for humans
For the on-call team, route to a #kev-alerts Slack channel with the AI summary describing the new addition. See our Slack alerts setup guide for channel configuration and the Discord alerts guide if your team runs on Discord.
Worked Example: An MSSP Workflow for 50 Client Stacks
Take an MSSP serving 50 clients with varied technology stacks. The setup:
- Add the KEV catalog HTML and JSON URLs as two monitors.
- Add the NVD recent-additions feed as a third monitor.
- Set 15-minute checks on all three.
- Configure webhooks into the MSSP's internal SOAR.
- The SOAR enriches each new CVE with affected-vendor metadata, matches against per-client asset inventories, and opens client-specific tickets only for stacks that include the affected vendor.
- Per-client tickets are routed into the client's Jira / ServiceNow via existing connectors.
Total cost: Standard plan at $80/year covers the three monitors with 15-minute checks. A single new KEV addition that turns into 12 client-specific tickets within minutes of CISA publishing recovers the cost many times over.
Patterns Worth Watching For
New CVEs against your installed stack. A CVE on a product you operate is the top-priority signal. Asset-inventory matching in your SOAR turns the firehose into per-team actionable tickets.
Edge devices and identity products. VPNs, firewalls, MFT (managed file transfer), and identity providers are over-represented on KEV. These warrant special attention regardless of whether you currently run the affected version.
Ransomware-known CVEs. CISA flags ransomware association in the catalog metadata. These are highest urgency and warrant out-of-cycle patching.
Repeat vendors. Multiple entries against the same vendor within a quarter is a procurement and architecture signal. Track vendor-level KEV frequency over time.
Old CVEs newly added. CISA sometimes adds CVEs from years ago after new in-the-wild evidence emerges. These warrant the same urgency as fresh additions.
Bulk additions on the same day. Batches of related CVEs (e.g. multiple Ivanti vulnerabilities added together) signal coordinated exploitation campaigns.
Combining KEV Monitoring With Other Signals
The full value of KEV monitoring shows up when you pair it with other public security data.
Combine with PyPI and npm release monitoring. Pair the KEV monitor with our PyPI and npm package release guide. Supply-chain compromises sometimes precede a corresponding CVE.
Combine with certificate transparency monitoring. Use our CT log monitoring guide to detect phishing infrastructure that exploits the same vulnerabilities surfaced in KEV.
Combine with cloud status pages. Pair with our cloud status page monitoring guide to correlate widespread incidents with newly disclosed CVEs in cloud-provider infrastructure.
Combine with Kubernetes and container release feeds. Use our Kubernetes CVE monitor and Docker Hub tag monitor to track upstream patch availability for KEV entries that affect your containerized workloads.
Use Cases
Vulnerability management teams. New KEV alerts feed directly into ticketing and patching workflows with documented evidence of CISA confirmation. The handoff from "alert" to "patch" gets dramatically faster.
Threat intel teams. KEV additions are a clean lens on what attackers are actually using right now. A monitored archive over months becomes a rich dataset for trend analysis.
Compliance and audit teams. Same-day awareness, archived monitoring history, and webhook integration produce defensible documentation for SOC 2, ISO 27001, PCI DSS, and FedRAMP evidence.
MSSPs and security consultants. A single PageCrawl monitor serves every client; per-client filtering happens in the SOAR or ticketing layer. This is one of the cheapest ways to operationalize KEV for a multi-client practice.
SOC analysts. A #kev-alerts channel gives the SOC immediate awareness of what is being exploited in the wild, informing detection-engineering priorities.
CISOs and security leadership. Periodic KEV trend summaries (vendor concentration, CVE class trends) feed quarterly security reviews and board reporting.
Frequently Asked Questions
How often does CISA add new entries? Typically several times per week, in batches rather than continuously. Updates can land at any time during US business hours and occasionally outside.
Does CISA email me when new entries are added? CISA offers a free email subscription that delivers daily digests. For real-time alerting and structured webhook output into SOAR, page monitoring is more responsive.
Can I filter KEV alerts to only my stack? PageCrawl alerts fire on every catalog change. Filtering to your stack happens in the downstream system (SOAR, asset-inventory match, ticket router). The Quick Setup widget at the top of this post offers a per-vendor filter at the alert layer.
What about the NVD CVE feed? NVD is broader, slower, and lower-confidence (PoC CVEs without confirmed exploitation). Monitor it as a complement to KEV, not a substitute.
Is the JSON feed updated at the same time as the HTML page? In practice, yes. CISA publishes both surfaces simultaneously. The JSON feed is preferred for SOAR integration; the HTML page is preferred for human alerting.
Do I need a paid plan? The Free plan supports 6 monitors at hourly checks, enough for KEV plus NVD plus a few related feeds. Standard at $80/year unlocks 15-minute checks, which is the right cadence for BOD 22-01-style workflows.
Choosing your PageCrawl plan
PageCrawl's Free plan lets you monitor 6 pages with 220 checks per month, which is enough to validate the approach on your most critical pages. Most teams graduate to a paid plan once they see the value.
| Plan | Price | Pages | Checks / month | Frequency |
|---|---|---|---|---|
| Free | $0 | 6 | 220 | every 60 min |
| Standard | $8/mo or $80/yr | 100 | 15,000 | every 15 min |
| Enterprise | $30/mo or $300/yr | 500 | 100,000 | every 5 min |
| Ultimate | $99/mo or $990/yr | 1,000 | 100,000 | every 2 min |
Annual billing saves two months across every paid tier. Enterprise and Ultimate scale up to 100x if you need thousands of pages or multi-team access.
At an engineering hourly rate, Standard at $80/year pays for itself the first time you catch a breaking API change, a deprecated endpoint, or a silent config change before it takes down production. 100 monitored pages is enough to cover the changelogs and docs of every third-party API your stack depends on. Enterprise at $300/year adds higher check frequency, 500 pages, and full API access. All plans include the PageCrawl MCP Server, which plugs directly into Claude, Cursor, and other MCP-compatible tools. Developers can ask "what changed in the Stripe API docs this month?" and get a summary pulled from your own monitoring history. Paid plans unlock write access so AI tools can create monitors and trigger checks through conversation, turning your tracked pages into a living knowledge base instead of a pile of alert emails.
Getting Started
Add the KEV catalog HTML page to PageCrawl on a 15-minute check schedule and route webhooks into your ticketing system. Create a free account, and the next KEV addition will become a ticket within minutes of CISA publishing it.
Once the basic flow is in place, layer on the NVD recent-additions feed, the Kubernetes CVE feed, and Docker Hub tag monitors for the upstream patch availability picture. The Standard plan at $80/year covers all of this with room to spare. For security teams operating under BOD 22-01 or any compliance regime that references KEV, the cost is rounding error against a single avoided incident response.