KEVIntel Methodology

Collect → Attest → Enrich → Deliver

KEVIntel is designed to help security teams move from vulnerability noise to exploitation signal. The workflow below describes how intelligence moves from raw sources to operational delivery.

Collect

CISA KEV, RSS feeds, advisories, public reporting, honeypots, and sensors.

Attest

Validate exploitation evidence and source credibility before a CVE is treated as a KEV.

Enrich

Add PoCs, scanner context, EPSS, CVSS, CWE, timelines, mentions, and sensor telemetry.

Deliver

UI, RSS, JSON, and Pro API for automation-ready workflows.

What Counts as a KEV?

A vulnerability is treated as a known exploited vulnerability when there is credible evidence of exploitation in the wild. KEVIntel includes the official CISA KEV catalog and adds additional exploited-CVE attestations from public and proprietary sources.

Valid attestation sources can include:

CISA KEV
Vendor advisories that explicitly state active exploitation, observed attacks, or equivalent language
Shadowserver and Microsoft CVRF reporting of known exploitation
Credible public reporting that documents exploitation in the wild
KEVIntel honeypot and sensor evidence of exploitation attempts mapped to a CVE

KEVIntel does not treat a generic patch advisory, PoC release, scanner template, or exploitability claim alone as sufficient evidence of known exploitation.

Confidence Scoring

KEVIntel assigns a confidence level to help teams prioritise faster. Levels are computed from attestation sources, exploitation status, and sensor telemetry. Rules may evolve as the product matures; per-CVE evidence is always shown on the CVE detail page.

Confirmed

CISA source attestation, or exploited-in-the-wild status backed by an authoritative source such as CISA or Microsoft.

High

High-confidence sensor observation in the last 7 days, or multiple distinct attestation sources for the same CVE.

Medium

Any sensor activity mapped to the CVE, or a single credible non-CISA attestation.

Low

KEV exists but only weak or partial exploitation signals are available.

Sensor Telemetry

KEVIntel uses a global honeypot and sensor network to observe exploitation attempts against internet-facing services. Activity is mapped to CVEs where possible and reviewed for confidence.

We describe observed exploitation attempts and activity consistent with exploitation — not confirmed compromise of a specific victim organisation unless separately documented by a credible source.

Sensor observations are retained for 30 days on the public web UI. Pro API customers receive immediate telemetry access for operational workflows.

Explore Observed Exploitation View Live Feed

False Positives and Review

Sensor mapping, automated enrichment, and high-volume public sources can produce noise. KEVIntel applies human review for KEVIntel-attested entries and uses confidence scoring to surface stronger signals first.

Scanner-like or indiscriminate traffic may map to a CVE with lower confidence until corroborated.
Vendor advisories without explicit exploitation language are not used as KEV attestation on their own.
PoCs and scanner templates enrich context but do not by themselves establish known exploitation.
Teams should validate exposure and relevance in their own environment before treating any signal as an immediate remediation mandate.

What KEVIntel Does Not Claim

Complete coverage of every exploited vulnerability in the wild
That every signal is always earlier than CISA KEV — we surface earlier signals when evidence supports it
Replacement of CISA KEV or your vulnerability management programme
Proof of compromise of a specific customer environment from sensor telemetry alone
Prevention of breaches or guaranteed detection in your estate

CISA KEV is authoritative and valuable. KEVIntel complements it with additional exploited-CVE coverage, enrichment, RSS delivery, proprietary telemetry, and automation-ready Pro API access.