Not every software vulnerability is the same. With over 48,100 vulnerabilities in 2025, up 21% from the year before, IT and security teams are trying to figure out how to prioritize which vulnerabilities require patching and which can wait. Although there are several methods, such as the Likely Exploited Vulnerabilities (LEV) equation and the Exploit Prediction Scoring System (EPSS), many businesses use the US Cyber and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) Catalog to get a short list of high-impact vulnerabilities that require quick attention.

According to Tod Beardsley, a former section chief for the CISA KEV group and current vice president of security research at runZero, a cyber-exposure management company, the cybersecurity priorities of the majority of organizations regrettably do not align with the list. "It's detrimental, in my opinion, if you are not in the federal civilian executive branch of government to treat KEV as a must-patch list, because what that will end up doing is burning a lot of cycles and [you] only got so many cycles in the day," he says.

Source: "KEVology" paper from runZero To enable cybersecurity teams to filter current issues by multiple criteria, the KEV Collider aggregates data from the KEV Catalog with additional information, including Common Vulnerability Scoring System (CVSS) scores, EPSS scores, and whether the exploit has been automated by the Metasploit tool. For instance, any business utilizing an impacted product may find the 235 KEVs, which are also a part of Metasploit and the Nuclei application testing framework, to be extremely commoditized.

He explains, "The novel thing here is the smashing together of several signals into a mental framework that you can take, and when the next KEV comes out, you can look at it quickly, and you say, oh, do I have to care about this now?" "Can I give this any thought tomorrow?...