Does priorIQ.ai replace my scanner?

No. It supercharges it. We integrate with Tenable, Qualys, Rapid7, Snyk, AWS Inspector and Wiz to reconcile everything into a single view.

Is it available on-premise?

Yes. We offer multi-tenant SaaS and self-hosted deployments, including air-gapped.

How long does it take to go live?

Typical time-to-value is under 2 weeks from connecting the first scanner.

How is prioritization calculated?

We combine CVSS, EPSS, CISA KEV presence, verified public exploits, exploit-in-kit and the asset's business exposure.

Does it support air-gapped environments?

Yes, with a local NVD catalog mirror and an offline update channel.

Which compliance frameworks are supported?

CIS Benchmarks per OS, NIS2, DORA, SOC 2 and ISO/IEC 27001:2022, all with continuous evaluation.

How is sensitive data handled?

AES-256 encryption at rest, credentials never exposed in API responses or logs, immutable audit log.

Do you integrate with ticketing?

Yes, natively with Jira, ServiceNow and Freshservice. Create, update and close tickets from priorIQ.ai.

CISA KEV Explained: The Catalog of Actively Exploited Vulnerabilities

The CISA KEV catalog is one of the most important — and most actionable — inputs in modern vulnerability management. The rule is simple: if a CVE is in the catalog, attackers are exploiting it right now. This article explains what the catalog is, how it works, and how to fold it into your prioritization.

What is the CISA KEV catalog?

The Known Exploited Vulnerabilities (KEV) catalog is a public, free list maintained by CISA, the U.S. Cybersecurity and Infrastructure Security Agency. It contains CVEs with reliable evidence of active exploitation in the wild. Each entry includes the CVE ID, the affected vendor and product, a short description, the date it was added, and a remediation due date.

Why a KEV listing beats any score

A CVSS score estimates severity; an EPSS score estimates the probability of exploitation. A KEV listing is neither an estimate nor a prediction — it is confirmation. The vulnerability is in attackers' hands today. That makes the catalog the single highest-signal input you can layer onto your findings: anything you have that appears in KEV should be remediated first, full stop.

KEV and Binding Operational Directive 22-01

CISA's BOD 22-01 requires U.S. federal civilian agencies to remediate KEV entries by their published due dates. Even if you are not a federal agency, the catalog is a vendor-neutral, continuously updated prioritization feed that any organization should consume.

How to use KEV in your program

Cross-reference every finding against the KEV catalog.
Treat any match as top priority, regardless of its CVSS.
Track a KEV remediation SLA as a core metric.
Layer EPSS on the rest. For everything not in KEV, sort by exploitation probability — see EPSS vs CVSS.

KEV is necessary, but not sufficient

The catalog only covers what CISA has confirmed. Plenty of exploited vulnerabilities are not (yet) listed, so treat KEV as a floor, not a ceiling: pair it with EPSS for likelihood and with business exposure for context. That combination is the essence of risk-based vulnerability management, and it is exactly the order we recommend in our prioritization framework.

How priorIQ.ai uses KEV

priorIQ.ai automatically flags every KEV-listed CVE across your reconciled inventory and pushes it to the top of the queue, then scores the remainder with EPSS, business exposure and toxic-combination analysis. Request a demo.

Frequently asked questions

How often is the KEV catalog updated? Regularly — CISA adds entries as new exploitation is confirmed, often several times a week.

Is KEV only relevant to U.S. agencies? The mandate applies to them; the catalog is for everyone. It is free and any organization can consume it.

KEV vs EPSS — which do I use? Both. KEV is confirmed exploitation; EPSS is predicted probability for everything not yet confirmed.