Risky Bulletin – Episode Summary
Episode Title: Sponsored: Filtering the KEV was really hard … Until now!
Date: February 15, 2026
Host: Casey Ellis (A)
Guest: Todd Beardsley, Run Zero (B)
Episode Overview
In this episode, Casey Ellis sits down with Todd Beardsley from Run Zero to discuss Todd’s recent research paper "Kevology," which critically examines the CISA Known Exploited Vulnerabilities (KEV) catalog. The conversation sheds light on how organizations can more effectively filter and prioritize KEV for remediation, what the KEV list really represents, common misconceptions about its intent, and how new tooling and research make nuanced filtering practical for defenders across government and private sectors.
Key Discussion Points & Insights
1. The Genesis and Nature of KEV (00:02 – 06:26)
- Background: Todd Beardsley previously worked at CISA and was directly involved in managing the Known Exploited Vulnerabilities (KEV) catalog, a federal government-mandated list that agencies must patch against under Binding Operational Directive (BOD) 22-01.
- KEV is Not Just RCEs: Only about a third of KEV entries are straightforward Remote Code Execution (RCE) vulnerabilities:
-
“It turns out that only a third of Kev vols are the straight shot RCE bugs that most people would assume they are.” — Casey [00:02]
- Many listed vulnerabilities have commodity exploits that pre-date their inclusion, and some stay unaddressed for a long time.
-
- KEV’s Purpose: For federal agencies, compliance requires patching everything on KEV by the published deadlines—there’s no formal prioritization.
- Data Nuance & Frustrations: Todd describes his professional frustration over the lack of prioritization in KEV and his drive to add richer context:
-
"If everything's a priority, then nothing becomes a priority at that point." — Casey [05:30]
-
2. Filtering KEV: "Kevology" Research & KEV Collider Tool (03:34 – 05:30)
- Research Approach: Todd’s "Kevology" paper systematically analyzes and restructures KEV data, introducing structured filtering criteria (network vector, no user interaction, no special privileges, high integrity impact).
- Tool for the Community: The KEV Collider, released alongside the paper, is a web-based tool on the Run Zero website that lets users filter KEV by advanced criteria without writing code.
-
“Turns out that was really hard until today, Casey, because… if you don't want to write your own code... it's on the KEV collider... presents it in a very delightful way.” — Todd [03:34]
-
- Practical Impact: Non-federal organizations can use the tool to focus on the vulnerabilities most immediately relevant to them, not just “do everything, always.”
3. Misconceptions About KEV and Its Scope (06:26 – 11:46)
- Widespread Misunderstandings:
- KEV is not a list of the “worst of the worst” vulnerabilities, nor does it only cover those affecting the federal government.
- The catalog is a vulnerability, not exploit, list. Many on KEV are not “in-the-wild” or “nation-state only” bugs.
- International & State Use: KEV is widely used beyond its original audience, becoming a de facto global and multi-level government resource:
-
“I'm the cool friend in school that totally will let you cheat off my homework. It's fine. And say how you doing Canada?” — Todd [08:23]
-
- Filtering Complexity: True prioritization comes from combining various data points—EPSS, CVSS, public exploits, Metasploit modules.
4. Remediation Realities & "Achievability" (11:46 – 14:27)
- KEV Inclusion Criteria:
- Vulnerabilities are only added if a reasonably actionable patch or mitigation is available.
- For end-of-life (EOL) products with no fix—like consumer D-Link routers—the advice is simply to retire or replace.
- Contrast: Critical bugs in mainstream, irreplaceable platforms (like Windows) with no fix may remain off KEV for a long time.
-
“If there was a bug that like affects Windows... and there's no fix, there is no way that Kev will say like, well just turn off all your Windows, switch to Linux.” — Todd [13:41]
- Trade-offs and Delays: Some serious bugs (e.g., Black Lotus/UEFI) stay off KEV due to lack of practical mitigations.
5. The New BOD 26-02: End-of-Service (EOS) Edge Devices (15:07 – 17:30)
- New Mandate: CISA’s fresh directive (BOD 26-02) targets the use of unsupported edge devices (routers, VPNs, firewalls) in government—now explicitly banned.
- Todd’s Broader Concern:
- EOL internal OSes and infrastructure are unpatchable, representing 'forever exposure.'
- End-of-life systems warrant even more attention than the “hottest” new CVEs:
-
“If you have to choose… I would choose chasing down your end of life stuff before your hottest CVE from two years ago.” — Todd [18:00]
-
“The end of life stuff will never see a fix. The exploits are forever.” — Todd [18:16]
-
6. Holistic Security Programs & Real-World Trade-offs (19:34 – 21:34)
- Ideal Versus Reality:
- While security should be holistic, resource and time constraints make triage and economic rationalization unavoidable.
- Many exposures (weak passwords, bad segmentation, etc.) can’t be solved merely by patching.
-
“This idea that security programs are holistic, that's an idealized before the heat death of the universe kind of concept.” — Casey [19:34]
7. Call to Action: Asset & Exposure Management (21:34 – 23:50)
- Run Zero’s Offering: Todd discusses how Run Zero solutions—including the KEV Collider and Community Edition—help organizations get a grip on asset and exposure management, with a user-friendly, free tier for small environments.
- Practical Adoption: Asset inventory and exposure management enable organizations to find, filter, and act on vulnerable or unsupported assets before they become critical incidents.
- Memorable Moment:
-
“I use it to keep an eye on... my media server so I will get an alert before the kids notice. And I have actually solved this problem. I am amazed that I can do this right.” — Todd [22:26]
-
Notable Quotes & Memorable Moments
-
On RCE Prevalence in KEV:
“It turns out that only a third of KEV vols are the straight shot RCE bugs that most people would assume they are.”
— Casey [00:02] -
On Prioritization and Frustration:
“If everything's a priority, then nothing becomes a priority at that point.”
— Casey [05:30] -
On International Use of KEV:
"I'm the cool friend in school that totally will let you cheat off my homework. It's fine. And say how you doing Canada?"
— Todd [08:23] -
On the “Forever Day” Problem:
“The end of life stuff will never see a fix. The exploits are forever.”
— Todd [18:16] -
On Holistic Programs Versus Reality:
“This idea that security programs are holistic, that's an idealized before the heat death of the universe kind of concept.”
— Casey [19:34]
Key Timestamps
- 00:02 — Introduction to KEV and Todd’s “Kevology” research
- 03:34 — Challenges and solutions in filtering KEV vulnerabilities
- 06:26 — Common misconceptions about KEV, exploitation, and prioritization
- 11:46 — Remediation realities and why not all critical bugs appear in KEV
- 15:07 — New CISA directives on end-of-life edge devices
- 18:00 — Why end-of-life exposures are often more urgent than new CVEs
- 19:34 — Real-world constraints on security prioritization
- 21:34 — Practical asset/exposure management and Run Zero’s free tools
- 23:50 — Closing
For Listeners
This episode offers a deep dive into the evolving role of KEV, the challenges of remediation at scale, and pragmatic steps organizations can take—backed by new research and community tools—to stay ahead of rapidly shifting vulnerability landscapes. Todd’s enthusiasm, expertise, and sense of humor make it accessible and insightful both for practitioners and decision-makers.
