Skip to content
Intermediate
6 min

How To Use CISA's KEV List To Prioritize Patching

Patch the things attackers are actually exploiting.

Last updated: March 20, 2026

You have 47 vulnerabilities in your network. You can patch 10 this week. Which 10 do you pick?

If you answered "the critical ones" or "the ones my scanner flagged first," you're missing something. There's a government-maintained list of vulnerabilities that attackers are actively using right now. Start there.

It's called the CISA Known Exploited Vulnerabilities (KEV) catalog. It's free. It's updated regularly. And it's your best tool for prioritizing patching effort.

What this solves

Focuses your patching effort. Instead of chasing every CVE, you focus on the ones that matter most — the ones actively being exploited.

Prioritizes limited IT resources. Most SMBs can't patch everything immediately. KEV tells you what to do first.

Supports cyber insurance requirements. Insurers increasingly ask about KEV compliance. "We track CISA's KEV" is a good answer.

Reduces ransomware risk. Many ransomware attacks use vulnerabilities from the KEV list. Patch those first.

What can go wrong

KEV is not comprehensive. It only covers vulnerabilities that CISA has confirmed are being exploited. Your scanner might flag hundreds more. Don't ignore those entirely.

Patching breaks things. Some patches break applications. Vendors sometimes push bad updates. Test before deploying broadly.

Missing edge cases. A vulnerability might not be on KEV but is still relevant to your specific setup. Context matters.

Assuming KEV coverage is enough. KEV is a minimum bar, not a complete security strategy.

Patches applied but not verified. The update runs. Did it actually install? Did the service restart? You need to confirm.

What it costs (honest ranges)

Free manual review: $0. Download the CSV from CISA's website, cross-reference with your vulnerability scan results. Takes 1-2 hours monthly.

Vulnerability scanners (Qualys, Tenable, Tenable Nessus): $2,000-$10,000/year for small business licensing. Automates discovery and tracking.

Patch management tools (Automox, PDQ Deploy): $500-$3,000/year. Automates patching across your environment.

Managed detection and response (MDR): $1,500-$5,000/month. Includes vulnerability monitoring and remediation.

Average cost of a ransomware attack on SMB: $150,000-$500,000 including downtime, recovery, and potential ransom. Prioritized patching costs a fraction of that.

Minimum viable implementation

  1. Get the KEV list. Bookmark https://www.cisa.gov/known-exploited-vulnerabilities-catalog. Download the CSV. This is your priority list.

  2. Run a vulnerability scan. Identify what's in your environment. You can't match KEV vulnerabilities to your assets if you don't know what your assets are.

  3. Cross-reference. Compare your scan results against the KEV list. Any matches are your highest priority.

  4. Patch within 5 business days for KEV vulnerabilities. CISA's Binding Operational Directive sets this timeline for federal agencies. Good SMB target.

  5. Verify patches applied. Check that updates completed. Reboot systems. Confirm vulnerability is no longer present in your next scan.

Vendor questions (copy/paste)

Ask your IT vendor or MSP:

  • Do you monitor the CISA KEV catalog?
  • What's your process for KEV vulnerabilities specifically?
  • What's your average time to patch a KEV-listed vulnerability?
  • Do you verify that patches are applied successfully?

Ask your vulnerability scanner vendor:

  • Can you filter scan results by CISA KEV status?
  • Do you alert specifically when KEV vulnerabilities are found?
  • Can you export a report of only KEV-affected systems?

When to hire help

Your team can't patch within 5 days of a KEV disclosure. Either get more resources or hire someone who can.

You have no vulnerability scanning. You don't know what's exposed. Get eyes on your environment.

You keep getting flagged on cyber insurance questionnaires. Insurers want to see KEV processes. A managed services provider can implement this.

You've had a near-miss or actual incident. If attackers exploited a KEV vulnerability against you, something in your process failed. Find the gap.

KEV isn't the only thing you should patch. But it's the best place to start when you have limited time and resources. Get those 10 patches right before you worry about the other 37.

Related Reading

8 min · Intro

How Attackers Use Third Parties and Vendors

The company that paints your office also has access to your network.

7 min · Intro

How to Prepare for a Vendor Breach

The breach notification email arrived. Here's what you do in the first 24 hours.

8 min · Intro

How to Read a Breach Report and Apply It to Your Business

Another company got breached. Should you care? Probably yes.

9 min · Intro

Ransomware: The Real Playbook, Not Movie Hacking

It's Friday at 6 PM. Your systems are locked. Here's what actually happened.

7 min · Intro

Zero Days and Why Your Router Is a Target

The exploit existed for 45 days before anyone knew about it. Your router might still have it.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch