KEVIntel Methodology
How KEVIntel collects, attests, enriches, scores, and delivers exploited-vulnerability intelligence.
Observe → Attest → Score → Enrich → Operationalize → Deliver
KEVIntel is designed to help security teams move from vulnerability noise to exploitation signal. The workflow below describes how intelligence moves from raw sources to operational delivery.
Observe
Monitor public sources, advisories, CISA KEV, RSS feeds, honeypots, and custom sensors for exploitation signals.
Attest
Validate exploitation evidence and source credibility before a CVE is treated as known exploited.
Score
Assign confidence based on source quality, specificity, telemetry, corroboration, and validation.
Enrich
Add EPSS, CVSS, CWE, timelines, PoCs, Nuclei, Metasploit, scanner context, online mentions, and product context.
Operationalize
Convert exploitation intelligence into detection context, request indicators, payload fingerprints, virtual patch guidance, and false-positive notes.
Deliver
Provide intelligence through UI, RSS, Pro API, and workflow-ready exports.
What Counts as a KEV?
A vulnerability is treated as a known exploited vulnerability when there is credible evidence of exploitation in the wild. KEVIntel includes the official CISA KEV catalog and adds additional exploited-CVE attestations from public and proprietary sources.
When KEVIntel cites honeypot or sensor evidence as attestation, exploitation activity means an attempt to exploit a vulnerability, whether or not the target was actually vulnerable or the attempt succeeded. Sensor-derived KEV attestations reflect observed attempts mapped to a CVE — not proof that a specific organisation was compromised.
Valid attestation sources can include:
- CISA KEV
- Vendor advisories that explicitly state active exploitation, observed attacks, or equivalent language
- Shadowserver and Microsoft CVRF reporting of known exploitation
- Credible public reporting that documents exploitation in the wild
- KEVIntel honeypot and sensor evidence of exploitation attempts mapped to a CVE
KEVIntel does not treat a generic patch advisory, PoC release, scanner template, or exploitability claim alone as sufficient evidence of known exploitation.
Confidence Scoring
KEVIntel assigns a confidence level to help teams prioritise faster. Levels are computed from attestation sources, exploitation status, and sensor telemetry. Rules may evolve as the product matures; per-CVE evidence is always shown on the CVE detail page.
CISA source attestation, or a retained sensor observation with high confidence.
Exploitation confirmed by one or more reputable sources, including direct vendor advisories, but not yet observed in KEVIntel sensors.
Retained sensor observation explicitly tagged medium confidence.
Retained sensor observation explicitly tagged low confidence.
How Confidence Scoring Works
Confidence scoring is how KEVIntel separates strong exploitation evidence from weak signals, so teams are not over-mapping random honeypot noise to a CVE. We weigh the following inputs when deciding how strongly a vulnerability is tied to real-world exploitation:
Source Quality
Authoritative sources (CISA KEV, vendor advisories stating exploitation, Shadowserver, credible reporting) carry more weight than unverified or low-trust signals.
Endpoint Specificity
Activity targeting a CVE-specific endpoint or request path scores higher than generic scanning or product homepage probing.
Payload Fidelity
CVE-specific payload structures and known exploit fingerprints score higher than non-specific or ambiguous payloads.
Repeat Observations
Activity seen repeatedly, across time and from different sources, is stronger than a single low-fidelity request.
Sensor Telemetry
First-hand honeypot and sensor observations of exploitation attempts strengthen confidence when the activity is sufficiently CVE-specific.
Public Corroboration
Independent public reporting or advisories that corroborate the same exploitation raise confidence.
Human Validation
KEVIntel applies human review where needed for KEVIntel-attested entries, especially when automated signals are ambiguous.
When evidence is weak or mapping is uncertain, KEVIntel uses lower confidence and language such as "activity targeting endpoints associated with" or "consistent with exploitation of," rather than over-claiming. Per-CVE evidence is always shown on the CVE detail page.
Sensor Telemetry
KEVIntel uses a global honeypot and sensor network to observe exploitation attempts against internet-facing services. Activity is mapped to CVEs where possible and reviewed for confidence.
Exploitation activity means an attempt to exploit a vulnerability, whether or not the target was actually vulnerable or the attempt succeeded. Event counts, charts, and telemetry on KEVIntel reflect this definition.
We describe observed exploitation attempts and activity consistent with exploitation — not confirmed compromise of a specific victim organisation unless separately documented by a credible source.
Aggregate telemetry charts and daily activity trends are available for the last 90 days. First and last observed timestamps reflect all-time sensor history. Raw per-event detail (attacker IPs, request paths, payloads) is retained for 30 days publicly and 90 days for Enterprise customers.
False Positives and Review
Sensor mapping, automated enrichment, and high-volume public sources can produce noise. KEVIntel applies human review for KEVIntel-attested entries and uses confidence scoring to surface stronger signals first.
- Scanner-like or indiscriminate traffic may map to a CVE with lower confidence until corroborated.
- Vendor advisories without explicit exploitation language are not used as KEV attestation on their own.
- PoCs and scanner templates enrich context but do not by themselves establish known exploitation.
- Teams should validate exposure and relevance in their own environment before treating any signal as an immediate remediation mandate.
What KEVIntel Does Not Claim
- Complete coverage of every exploited vulnerability in the wild
- That every signal is always earlier than CISA KEV — we surface earlier signals when evidence supports it
- Replacement of CISA KEV or your vulnerability management programme
- Proof of compromise of a specific customer environment from sensor telemetry alone
- Prevention of breaches or guaranteed detection in your estate
CISA KEV is authoritative and valuable. KEVIntel complements it with additional exploited-CVE coverage, enrichment, RSS delivery, proprietary telemetry, and automation-ready Pro API access.