Agent skill

performing-cve-prioritization-with-kev-catalog

Leverage the CISA Known Exploited Vulnerabilities catalog alongside EPSS and CVSS to prioritize CVE remediation based on real-world exploitation evidence.

View SKILL.md on GitHub Repository
Stars 4,300
Forks 470

Install this agent skill to your Project

npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/performing-cve-prioritization-with-kev-catalog

SKILL.md

Performing CVE Prioritization with KEV Catalog

Overview

The CISA Known Exploited Vulnerabilities (KEV) catalog, established through Binding Operational Directive (BOD) 22-01, is a living list of CVEs that have been actively exploited in the wild and carry significant risk. As of early 2026, the catalog contains over 1,484 entries, growing 20% in 2025 alone with 245 new additions. This skill covers integrating the KEV catalog into vulnerability prioritization workflows alongside EPSS (Exploit Prediction Scoring System) and CVSS to create a risk-based approach that prioritizes vulnerabilities with confirmed exploitation activity over theoretical severity alone.

When to Use

  • When conducting security assessments that involve performing cve prioritization with kev catalog
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Access to vulnerability scan results (Qualys, Nessus, Rapid7, etc.)
  • Familiarity with CVE identifiers and NVD
  • Understanding of CVSS scoring (v3.1 and v4.0)
  • API access to CISA KEV, EPSS, and NVD endpoints
  • Python 3.8+ with requests and pandas libraries

Core Concepts

CISA KEV Catalog Structure

Each KEV entry contains:

  • CVE ID: The CVE identifier (e.g., CVE-2024-3094)
  • Vendor/Project: Affected vendor and product name
  • Vulnerability Name: Short description of the vulnerability
  • Date Added: When CISA added it to the catalog
  • Short Description: Brief technical description
  • Required Action: Recommended remediation action
  • Due Date: Deadline for federal agencies (FCEB) to remediate
  • Known Ransomware Campaign Use: Whether ransomware groups exploit it

BOD 22-01 Remediation Timelines

CVE Publication Date Remediation Deadline
2021 or later 2 weeks from KEV listing
Before 2021 6 months from KEV listing

Multi-Factor Prioritization Model

Factor Weight Data Source Rationale
CISA KEV Listed 30% CISA KEV JSON feed Confirmed active exploitation
EPSS Score 25% FIRST EPSS API Predicted exploitation probability
CVSS Base Score 20% NVD API v2.0 Intrinsic vulnerability severity
Asset Criticality 15% CMDB/Asset inventory Business impact context
Network Exposure 10% Network architecture Attack surface accessibility

KEV + EPSS Decision Matrix

KEV Listed EPSS > 0.5 CVSS >= 9.0 Priority SLA
Yes Any Any P1-Emergency 48 hours
No Yes Yes P1-Emergency 48 hours
No Yes No P2-Critical 7 days
No No Yes P2-Critical 7 days
No No No (>= 7.0) P3-High 14 days
No No No (>= 4.0) P4-Medium 30 days
No No No (< 4.0) P5-Low 90 days

Workflow

Step 1: Fetch and Parse the KEV Catalog

python
import requests
import json
from datetime import datetime

KEV_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"

def fetch_kev_catalog():
    """Download and parse the CISA KEV catalog."""
    response = requests.get(KEV_URL, timeout=30)
    response.raise_for_status()
    data = response.json()

    catalog = {}
    for vuln in data.get("vulnerabilities", []):
        cve_id = vuln["cveID"]
        catalog[cve_id] = {
            "vendor": vuln.get("vendorProject", ""),
            "product": vuln.get("product", ""),
            "name": vuln.get("vulnerabilityName", ""),
            "date_added": vuln.get("dateAdded", ""),
            "description": vuln.get("shortDescription", ""),
            "action": vuln.get("requiredAction", ""),
            "due_date": vuln.get("dueDate", ""),
            "ransomware_use": vuln.get("knownRansomwareCampaignUse", "Unknown"),
        }

    print(f"[+] Loaded {len(catalog)} CVEs from CISA KEV catalog")
    print(f"    Catalog version: {data.get('catalogVersion', 'N/A')}")
    print(f"    Last updated: {data.get('dateReleased', 'N/A')}")
    return catalog

kev = fetch_kev_catalog()

Step 2: Enrich with EPSS Scores

python
EPSS_API = "https://api.first.org/data/v1/epss"

def get_epss_scores(cve_list):
    """Fetch EPSS scores for a batch of CVEs."""
    scores = {}
    batch_size = 100
    for i in range(0, len(cve_list), batch_size):
        batch = cve_list[i:i + batch_size]
        cve_param = ",".join(batch)
        response = requests.get(EPSS_API, params={"cve": cve_param}, timeout=30)
        if response.status_code == 200:
            for entry in response.json().get("data", []):
                scores[entry["cve"]] = {
                    "epss": float(entry.get("epss", 0)),
                    "percentile": float(entry.get("percentile", 0)),
                }
    return scores

Step 3: Build the Prioritization Engine

python
import pandas as pd

def prioritize_vulnerabilities(scan_results, kev_catalog, epss_scores):
    """Apply multi-factor prioritization to scan results."""
    prioritized = []

    for vuln in scan_results:
        cve_id = vuln.get("cve_id", "")
        cvss_score = float(vuln.get("cvss_score", 0))
        asset_criticality = float(vuln.get("asset_criticality", 3))
        exposure = float(vuln.get("network_exposure", 3))

        in_kev = cve_id in kev_catalog
        kev_data = kev_catalog.get(cve_id, {})
        epss_data = epss_scores.get(cve_id, {"epss": 0, "percentile": 0})
        epss_score = epss_data["epss"]

        # Composite risk score calculation
        risk_score = (
            (1.0 if in_kev else 0.0) * 10 * 0.30 +
            epss_score * 10 * 0.25 +
            cvss_score * 0.20 +
            (asset_criticality / 5.0) * 10 * 0.15 +
            (exposure / 5.0) * 10 * 0.10
        )

        # Assign priority level
        if in_kev or (epss_score > 0.5 and cvss_score >= 9.0):
            priority = "P1-Emergency"
            sla_days = 2
        elif epss_score > 0.5 or cvss_score >= 9.0:
            priority = "P2-Critical"
            sla_days = 7
        elif cvss_score >= 7.0:
            priority = "P3-High"
            sla_days = 14
        elif cvss_score >= 4.0:
            priority = "P4-Medium"
            sla_days = 30
        else:
            priority = "P5-Low"
            sla_days = 90

        prioritized.append({
            "cve_id": cve_id,
            "cvss_score": cvss_score,
            "epss_score": round(epss_score, 4),
            "epss_percentile": round(epss_data["percentile"], 4),
            "in_cisa_kev": in_kev,
            "ransomware_use": kev_data.get("ransomware_use", "N/A"),
            "kev_due_date": kev_data.get("due_date", "N/A"),
            "risk_score": round(risk_score, 2),
            "priority": priority,
            "sla_days": sla_days,
            "asset": vuln.get("asset", ""),
            "asset_criticality": asset_criticality,
        })

    df = pd.DataFrame(prioritized)
    df = df.sort_values("risk_score", ascending=False)
    return df

Step 4: Generate Prioritization Report

python
def generate_report(df, output_file="kev_prioritized_report.csv"):
    """Generate summary report from prioritized vulnerabilities."""
    print("\n" + "=" * 70)
    print("VULNERABILITY PRIORITIZATION REPORT - KEV + EPSS + CVSS")
    print("=" * 70)

    print(f"\nTotal vulnerabilities analyzed: {len(df)}")
    print(f"KEV-listed vulnerabilities:    {df['in_cisa_kev'].sum()}")
    print(f"Ransomware-associated:         {(df['ransomware_use'] == 'Known').sum()}")

    print("\nPriority Distribution:")
    print(df["priority"].value_counts().to_string())

    print("\nTop 15 Highest Risk Vulnerabilities:")
    top = df.head(15)[["cve_id", "cvss_score", "epss_score", "in_cisa_kev",
                        "risk_score", "priority"]]
    print(top.to_string(index=False))

    df.to_csv(output_file, index=False)
    print(f"\n[+] Full report saved to: {output_file}")

Best Practices

  1. Update the KEV catalog daily since CISA adds new entries multiple times per week
  2. Always cross-reference KEV with EPSS; a CVE may have high EPSS but not yet be in KEV
  3. Treat all KEV-listed CVEs as P1-Emergency regardless of CVSS score
  4. Pay special attention to KEV entries flagged with "Known Ransomware Campaign Use"
  5. Automate KEV comparison against your vulnerability scan results in CI/CD pipelines
  6. Track KEV due dates separately for FCEB compliance requirements
  7. Use KEV as a leading indicator for threat hunting; if a CVE is added, check for prior exploitation in your environment

Common Pitfalls

  • Relying solely on CVSS scores without checking KEV or EPSS data
  • Not updating the KEV catalog frequently enough (CISA updates multiple times weekly)
  • Treating non-KEV CVEs as safe; they may be exploited but not yet cataloged
  • Ignoring the "ransomware use" field which indicates highest-urgency threats
  • Using KEV only for compliance instead of integrating into overall risk management

Related Skills

  • prioritizing-vulnerabilities-with-cvss-scoring
  • building-vulnerability-data-pipeline-with-api
  • implementing-threat-intelligence-scoring
  • implementing-vulnerability-remediation-sla

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

mukul975/Anthropic-Cybersecurity-Skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

4,300 470
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results