Loading summary
A
Hey, this is Casey Ellis for Risky Business, and today we are talking to Todd Beardsley from Run Zero. So Todd literally used to run CiscoKEV, the list that tells federal agencies which volumes to patch or else. And he's just dropped a research paper called Kevology that basically takes the thing apart and puts it back together again. It turns out that only a third of Kev volumes are the straight shot RCE bugs that most people would assume they are. Commodity exploits often exist for years before a volume even hits Kev. And the whole thing is a lot more nuanced than the compliance punch list that most organizations treat it as. So let's get into it. It's great to see you, Todd.
B
It is delightful to see you again, Kasey. It's been too long.
A
It's been way too long. So. Yeah, tell me about Cavology.
B
Well, thanks. I'm glad you asked.
A
Where do you want to go from here, pal?
B
Yeah. So, Keval, I was kicking around with this for a while. Like, this is the kind of thing I wanted to do back when I worked in federal Service, because we published. When I was. Back when I worked at cisa, we published the list, right? We published the kanone Exploited vulnerabilities catalog. And you have to say kanone or else the acronym doesn't make sense.
A
Otherwise the acronym fails. Yep.
B
Right. So it's the known exploiteds, and we publish this catalog and we update it a few times a week. Right? And it was super fun. It was great. It was like my whole job was playing, like, exploit detective. It was so rad. And one of the best jobs I've ever had, honestly. And top. Top three. But, like, I was always a little dissatisfied with, like, the way we presented it. And I'm not a marketing guy, I promise. I. I know that I work in marketing, but that's just because all research is in marketing, actually, like it or not. And so we published the list and we didn't want. Mainly we didn't want agencies, federal agencies to, like, look at the list and say, like, cool, that's a long list. What should I do first for the federal civilian executive branch agencies, you have to do them all first. And that's just the way it goes, right? Because it's all tied back to BOD 2201, which is binding Operational Directive 2201, which say. Which states that CISA must produce a list and states that the agencies under CISA's authorities must patch the things on the list at a due date that is also on the list. Right. And so there's no notion of like prioritization or this thing is worse than that thing, or this thing is like tearing up the Internet. So I got to get to this first. There's not, none of that, none of that is in the kev. But what people don't realize is that a lot of that data is somewhere, right? And you. And it doesn't take a ton of work. It took some work to kind of, you know, just collide all those together, just like smush them all up and say like, all right, here's my list of kevs. Here's a bunch of other stuff around these vulnerabilities. Let's like make a kind of normal standard JSON format, because that's what the world needs, and publish that, right? And then see what falls out, like when you start looking at it. So like you said at the top, right, like these straight shot RCE vulnerabilities, which in cavology parlance is like, it has a CVSS score. It the cv, and that is the common vulnerability scoring system has a cvs. I don't know, man. I will expand every acronym.
A
You're going to keep me on my. Not committing an acronym foul game on this one. So it's good.
B
So it has a CVSS score, for starters, anywhere. And in that cvss, it's like the attack vector is over the network. There's no user interaction required, there's no special privileges required, and it's a high impact to integrity. Right? That kind of thing. And so I just want to pick out those bits. It's not the CVSS score, it's not the CVSS severity. It's like those specific things that are in CBSs. And what if I picked all those out and just said like, oh, I want to filter the KEV on that? Well, turns out that was really hard until today, Casey, because I have a whole paper talking about how to do that. Like, the methodology part of the paper is pretty thorough, I think. But even so, if you don't want to write your own code, don't worry, we've written some code for you. And it's on the KEV collider, which is on the Run Zero website. And it basically just filters. It takes all the JSON stuff that I made in the course of writing this paper and presents it in a very delightful way, right? And then you can just click through filter and then you'll see that there's like 400 out of the 1500 and change. Right? Fit that criteria. And if I'm not a federal agent agency. Right. That must do everything. Right. When it's due, I can take that and I can say like, okay, these are the ones that I actually care about right now. Right. I care about everything, obviously, because I'm a compassionate person when it comes to my computers. But I will care today about these. I'll care about some other criteria. Tomorrow. I'll care about others. Next week I'll care about others. Maybe never. Right. So that was kind of the genesis of it. It was born partly from the frustration that I had when I was in federal government and professional frustration, obviously, that we didn't have any sort or anything on just the web page.
A
Yeah. And if everything's a priority, then nothing becomes a priority at that point. You got to be able to drive things top down. I mean, I think it's interesting you and I have jammed on this stuff. I definitely don't have the bird dog seat of the process around, Kev, that you do, but I think we've been sort of jamming on similar problems for decades at this point. And this idea of, you know, exploitability from like the functional aspects that exist around a vulnerability and reachability, all that kind of stuff that you've. You've kind of just talked about filtering there. Yeah. The other side. I think there is still to some degree a common misconception that, that Kev is just looking at those things when it comes to the vulnerability and its likelihood of attack. And then there's also some of the other stuff that that's in there that maybe you can go into around, like, what can you actually do about it? Is there is this stuff that can be done to, to achieve this from a remediation standpoint.
B
Yeah. I mean, like, I think one of the most common misconceptions about the cav. And I'm but one man, Casey. I can only talk to so many people so much and. But one of the common misconceptions that I'm constantly like, batting down is like this idea that, like, oh, it's on the cab. It must be the worst of the worst of the worst. Right. It must be the worst. Exploit the worst exploits. Let's just call it that for now. In the world that the US government has identified is affecting like federal government systems by spies or whatever, and that that must be what the Kev is. And like there's, there's like four or five clauses in there that are just wrong, you know, like it's a list of vulnerabilities, not exploits. It doesn't have to involve the federal government directly to end up on the kev. They're not the worst of the worst. There's an actually kind of an interesting bell curve when you look at EPSS scores, for example, where there's like a big cluster of very like, unlikely to be exploited on the left and then it kind of curves down and then comes back up on the right. But there's a big gap in the middle where it's like eh, maybe you know, according to epss. And so you can combine things like that, right? You can combine EPSS scores with CVSS ratings with. Is there a metasploit module? Is there a nuclei template? And then you can get like really complicated filtering going on of like oh well, this one. Okay, if I, if I apply all these five things, I come out with four vulnerabilities that are like probably worst of the worst, right? Yeah, yeah. But that leaves you with 1500 and change to go. And it's not just federal agencies that use the KEV now. Like it's been out for a while. It's been picked up internationally for sure. All of our international friends often I call it cheating off our homework. And I'm totally happy for them to do it. Right? I'm the cool friend in school that totally will let you cheat off my homework. It's fine. And say how you doing Canada? And I love it when they do. Right? It's great because we've done the work. And there's stupid for you to do the work too. Obviously sovereign nations are a thing and you should all do your own homework, blah, blah, blah. But like we do the work and we publish it, right? And so, but it's not even just that, right? Also internally in the U.S. like state, local, territorial and tribal governments also use the KEV as kind of guidance of like at least a floor of where their patching ought to be at. They'll use it as a news source even though KEV is like super late to the game almost always, you know, and so then like, so you have all of these like public service government, quasi government agencies that are all relying on the CAV and they don't have to care about the, the mandate, right? Of BOD 2201 that says you must patch all and you must patch all inside of usually three weeks, right? They can make up their own patch schedules. They can pick and choose off the list, right? Like they're allowed to do that if they're not federal, civilian, executive branch. And I understand why CISA doesn't want to have that embedded in their thing and that's fine. Like they have a particular audience that they publish this for and it's not their fault that everyone thinks it's cool, you know.
A
No, it's your, it's your fault. Right? Go back to the cool kid that lets them let others copy the homework.
B
It's basically my fault. I was a big proponent of the CAV before I started the federal government. Back when I worked at Rapid7, I was at a vulnerability management company and we're like, oh, look at this, the government has published a list of cool Vaughn's and it's like 2 or 300. And that's a very tractable problem for most enterprise IT shops, which is what I cared about when I was at Rabbit seven.
A
Well this is, this is where I was about to jump to sort of based off what you were just saying there. Because like the whole idea of there being a federal civilian mandate from, from 2201 off the back of Kev, but then seeing it get reproduced in other countries going kind of down downstream into, you know, state agencies and all those different things here, you know, one of the things that I definitely saw around Kev was basically enterprise in the corporate world peeking over the fence and saying hey, like if I'm a CISO and the, the problem that I face every single day is waking up figuring out what I need to do next. Like there's all of the, there's all of the strategic stuff and the plan stuff and all of that, but none of those plans survive first contact necessarily. What is that first contact going to look like and how do I like factor that into my planning from a remediation standpoint like this overall concept of like here are the things that are most likely to exploited. Sometimes there's high side intelligence that could be integrated in to say we've actually observed this. But then also this whole element of can you actually do anything about it? Is this a bug that you just kind of can't really do anything about at this point in time? So there's no real point drawing your attention to that when there's other things that you could do. Seeing that kind of rational, I guess economically rational in terms of time and money approach to prioritization get picked up by corporate was a pretty interesting aspect of the other side of that, I guess.
B
Yeah, for sure. And like that's a big component of the ciscav, right. Where it doesn't land on the KEV unless there is a reasonable patch or other mitigation. Right. Something that you can easily do. And so like Sizakev often gets dinged for this. It's like, oh well, you're missing all the cool ode. And it's like, yeah, I mean it's by design, it's in the bot.
A
There's a, there's a reason for that. It's a system level risk thing, right?
B
And so you, and that doesn't always mean like a software patch in hand, right? We preferred that for sure, right? Like there's a patch, it's from the vendor, it works, it actually solves a problem. You know, all of that had to be done too. Like that's part of the research job of like working on the gav. But every once in a while there would be something that's like, oh well, it's like, like D Link was like a big vendor that was an offender on this, right? Where they would say like o yep, there's a bug, it's bad, it's been exploited and oops, this thing is end of life now, so just turn it off or buy a new one or whatever, right? Like and for something like D Link, right? Like I promise you, most of the federal civilian executive branch of government is not running on D Link, I promise you this. But they do have homes and they do sometimes dial into work, right? So like it does affect federal government and D Link is a popular vendor and they make fine stuff and but because it's end of life, there's not much to do about it other than turn it off now because of the where D Link lives and the kind of price point, the kind of users they have, right? It's pretty easy to say like, okay, well you have to upgrade to a new one or you have to get a different one, a nut ear device or something, right? Like it's a commodity tech that you can swap out easily. If there was a bug that like affects Windows, like Microsoft Windows and there's no fixed, there is no way that Kev will say like, well just turn off all your Windows, switch to Linux. Guess what, it's the year of the Linux desktop now, guys. Suddenly like there's no way Kev would do that. And so that's the kind of thing that would keep a bug off the list. And I think, I think someone write in, I think the Black Lotus Yuffie bugs still don't have like a very reasonable mitigation. There's a whole bunch of stuff you have to do and it only partially works and all that. Which is why the Black Lotus bugs, it took forever to get on the kev, if they're on there at all yet. I haven't checked. I haven't checked lately. I look every week, it's like, are the Black Lotus bugs on yet? And they generally aren't. So that would be a reason to not put something on the kev.
A
All right, so I guess that leads in pretty nicely to the other binding operational directive we were talking about and some of the stuff that you've been looking into around end of life and end of service edge devices, because obviously they're kind of forever day and things that aren't necessarily easy to mitigate and there's obviously a lot of other kind of downstream, like not necessarily enterprise grade, but downstream devices that might end up getting caught up in all of that. But what's been pretty apparent over the past period of time is that they're being pretty actively exploited in terms of the changes in threat actor behavior across the Internet. So you want to go into that a little bit?
B
Sure, yeah. Hot off the presses as we're recording this. It is BOD 2602, binding Operational Directive 2602 from CISA. Concerning. I don't have it exactly right in front of me, but it is concerning the end of service of edge devices. And so you have a couple things going on there, right? Like what is end of service and what is the edge? And basically what this means, means is like CIS is taking seriously and has taken seriously. I don't want to say they haven't, but they've taken seriously in the form of a BOD that hey, federal agencies, you can't run end of Life switches, routers, VPNs, proxies, firewalls, reverse proxies, or any combination thereof. Right? Like most network vendors, you know, package two or three of these kinds of functions into one thing and just like any other software, those things do reach end of life. Sometimes it's called end of life, sometimes it's called end of service, sometimes it's called end of support. Usually I usually call them end of security because that's the one thing I care about. And so you will be faced with this, right? Like the device that you are relying on to manage your outside versus inside is itself no longer getting patches. Right? And so like that's what CIS is really concerned about. I am concerned about end of, like operating systems which are throughout your internal network. Right. I wrote a whole paper on that called Undead by Design. If you just google run 0 undead by design, you'll find it and it's all about operating systems. And the prevalence, like, by industry of how common that thing is. But this bod is very interesting to me. Like, it is something that, you know, we talked about all the time when I was. When I was in cisa. It's like, boy, like, you could get a pass on the Kev. If you just have really old stuff and you don't want that, that's not the behavior you want.
A
Well, I think that's kind of what I was getting at with the segue here as well, because we're just talking about Kev being optimized for things that you can actually do something about EOS doesn't fit into that. But this sort of comes in and kind of backfills. I guess that's. What do you want to call it, Loophole in being able to work with Kev.
B
It's a bit of a, like, if you're going to be a lawyer about it. Yeah, it's definitely a loophole. This is the thing, right? Like, when I was doing the research and the work on Undead by Design and before that. But really it was like, crystallized for me during Undead by Design and talking with HD Moore and Tom Sellers and Captain Nemo from EndOfLife Date. This guy is incredible, by the way. Please be friends with him. And he's very easy to be friends with, but he is, like, I call, like, he's like a techno necromancer. Like, he cares a lot about.
A
Yeah, that's awesome.
B
Dead tech and everybody. Hey, man, there's a. There's a nerd for every. For every topic, right? But anyway, like, talking with these folks and, you know, doing the research and doing this, like, oh, it turns out end of life stuff and end of support stuff is such a. Like, at this point, I'm like, like, is the exposure. Right? That's the thing you should care about. Like, care about that if you have to choose, which you shouldn't because security programs are holistic. But if you had to choose, I would choose chasing down your end of life stuff before your hottest CVE from two years ago. Right? That's kind of the calculus there. Because the end of life stuff will never see a fix. The exploits are forever. Like, if I have a good metasploit module for something that went end of life in 2015, I don't have to update my metasploit module ever. Like, it will work forever when I find it, the fingerprinting will get better and more accurate for good and bad, right? Like, you know, like asset management systems, exposure management systems, those kinds of things should over time get better and better at like identifying these things because they're fixed in amber, right? Like they, they just are there and they never change.
A
I fully agree with that. I do think this idea that security programs are holistic, that's an idealized before the heat death of the universe kind of concept. Because at the end of the day, economic rationalism prevails and we've all got to wake up and figure out what we're going to do that day.
B
And we all live in a serial world, right. I literally can't do more than one thing at a time. Like, humans are bad at that. Like, we all pretend that we can multitask, we can't. Like we're actually, we could probably think.
A
About more than one thing at a time, but in terms of actually doing it, that, that doesn't work.
B
Oh, I don't know. I don't know, man. I don't think human brains can do that. I think you can, I think you can entertain two ideas and have conversations, but when it comes to literally doing it, like you must context switch between.
A
Doing the actual thing. Yeah, no, it's, it's, it's, it's, it's cool. Like I, I think it's something that I've definitely been noodling on a lot with the kind of the exposure to the cybersecurity industry that I have here in the bay. Right. There has been such a strong focus on tools that assume that a vulnerability or an exposure is a problem that could be fixed with the pull request. So it's sort of like post CI cd, post cloud. Like we, we've really oriented around that and that's a problem that genuinely needs to be solved. And those companies are awesome. But in the meantime, that's like the first three turtles of a stack of like 15, right. And the remaining 12 are the ones that we're kind of talking about right now. Right?
B
Yeah. And just like kind of normal everyday vulnerabilities, right, like are not technical software vulnerabilities, but they're things like use of default password, use of easy password, use of end of service systems, poor network segmentation, network network segmentation that you thought was there but actually isn't. Those are the kinds of things that you can't just patch away. Right. Like you do have to do a thing to address it.
A
What's the call to action on this one? Because I think some of the targeting side of things in terms of the increase in that risk, obviously there's the ethical hacker or the defender response to that, which is really what Run Zero has gone off and built, right?
B
Yeah, for sure. I really like working at Run Zero and if you like the kinds of papers that I write working here, you should buy Run Zero stuff to keep me paid. And that would be through runzero.com try. Runzero.com try is your one stop shop for all things Run Zero. We offer a free trial, 21 days to kick the tires and find that asset management can be fun again. I use it in my house. I use it to keep an eye on, on my media server so I will get an alert before the kids notice. And I have actually solved this problem. I am amazed that I can do this right. So, you know, I can use it for that kind of thing. You can use Run 0, the Runzio console, for all kinds of stuff, mostly around exposure management, asset management, attack surface management, stuff like that. You can use it to find all your end of life stuff, by the way, which is cool. And, and you can use it to keep up on the Kev for sure because we have a whole program called the Rapid Response. And so with Rapid Responses, we keep an eye on the news for sure. And anything that lands on the Kev is in the news. And so we tend to highlight those things pretty routinely. Like I said earlier at the top of the show, Kev updates several times a week. So do we, you know, so yeah, runzer.com try super fun. Free. Oh, and it's free forever for the community edition, for if you have like 100 or fewer assets. So like, ideal for the house, right? Maybe not HD's house, but ideal for most people's house.
A
But I mean, like being able to, you know, look after the media server before the kids squawk. That's a hell of a pitch right there. So that's probably reason enough to read the papers and play with the toys. All right, Todd, thank you so much for your time. This has been Casey Ellis for Risky Business. This is Todd Beardsley for Run Zero. Cheers.
B
Cheers, Casey.
Episode Title: Sponsored: Filtering the KEV was really hard … Until now!
Date: February 15, 2026
Host: Casey Ellis (A)
Guest: Todd Beardsley, Run Zero (B)
In this episode, Casey Ellis sits down with Todd Beardsley from Run Zero to discuss Todd’s recent research paper "Kevology," which critically examines the CISA Known Exploited Vulnerabilities (KEV) catalog. The conversation sheds light on how organizations can more effectively filter and prioritize KEV for remediation, what the KEV list really represents, common misconceptions about its intent, and how new tooling and research make nuanced filtering practical for defenders across government and private sectors.
“It turns out that only a third of Kev vols are the straight shot RCE bugs that most people would assume they are.” — Casey [00:02]
"If everything's a priority, then nothing becomes a priority at that point." — Casey [05:30]
“Turns out that was really hard until today, Casey, because… if you don't want to write your own code... it's on the KEV collider... presents it in a very delightful way.” — Todd [03:34]
“I'm the cool friend in school that totally will let you cheat off my homework. It's fine. And say how you doing Canada?” — Todd [08:23]
“If there was a bug that like affects Windows... and there's no fix, there is no way that Kev will say like, well just turn off all your Windows, switch to Linux.” — Todd [13:41]
“If you have to choose… I would choose chasing down your end of life stuff before your hottest CVE from two years ago.” — Todd [18:00]
“The end of life stuff will never see a fix. The exploits are forever.” — Todd [18:16]
“This idea that security programs are holistic, that's an idealized before the heat death of the universe kind of concept.” — Casey [19:34]
“I use it to keep an eye on... my media server so I will get an alert before the kids notice. And I have actually solved this problem. I am amazed that I can do this right.” — Todd [22:26]
On RCE Prevalence in KEV:
“It turns out that only a third of KEV vols are the straight shot RCE bugs that most people would assume they are.”
— Casey [00:02]
On Prioritization and Frustration:
“If everything's a priority, then nothing becomes a priority at that point.”
— Casey [05:30]
On International Use of KEV:
"I'm the cool friend in school that totally will let you cheat off my homework. It's fine. And say how you doing Canada?"
— Todd [08:23]
On the “Forever Day” Problem:
“The end of life stuff will never see a fix. The exploits are forever.”
— Todd [18:16]
On Holistic Programs Versus Reality:
“This idea that security programs are holistic, that's an idealized before the heat death of the universe kind of concept.”
— Casey [19:34]
This episode offers a deep dive into the evolving role of KEV, the challenges of remediation at scale, and pragmatic steps organizations can take—backed by new research and community tools—to stay ahead of rapidly shifting vulnerability landscapes. Todd’s enthusiasm, expertise, and sense of humor make it accessible and insightful both for practitioners and decision-makers.