npx claudepluginhub plurigrid/asi --plugin asiThis skill uses the workspace's default tool permissions.
The CISA Known Exploited Vulnerabilities (KEV) catalog, established through Binding Operational Directive (BOD) 22-01, is a living list of CVEs that have been actively exploited in the wild and carry significant risk. As of early 2026, the catalog contains over 1,484 entries, growing 20% in 2025 alone with 245 new additions. This skill covers integrating the KEV catalog into vulnerability prior...
Prioritizes CVE remediation using CISA KEV catalog for exploited vulns, EPSS prediction scores, CVSS severity, asset criticality, and exposure.
Prioritizes CVE fixes using CISA KEV catalog, EPSS scores, and CVSS ratings based on real-world exploitation evidence. Useful for vulnerability management workflows.
Triages and prioritizes vulnerabilities using CISA's SSVC decision tree framework by assessing exploitation, impact, automatability, prevalence, and well-being impact to output Track/Track*/Attend/Act remediation priorities.
Share bugs, ideas, or general feedback.
The CISA Known Exploited Vulnerabilities (KEV) catalog, established through Binding Operational Directive (BOD) 22-01, is a living list of CVEs that have been actively exploited in the wild and carry significant risk. As of early 2026, the catalog contains over 1,484 entries, growing 20% in 2025 alone with 245 new additions. This skill covers integrating the KEV catalog into vulnerability prioritization workflows alongside EPSS (Exploit Prediction Scoring System) and CVSS to create a risk-based approach that prioritizes vulnerabilities with confirmed exploitation activity over theoretical severity alone.
Each KEV entry contains:
| CVE Publication Date | Remediation Deadline |
|---|---|
| 2021 or later | 2 weeks from KEV listing |
| Before 2021 | 6 months from KEV listing |
| Factor | Weight | Data Source | Rationale |
|---|---|---|---|
| CISA KEV Listed | 30% | CISA KEV JSON feed | Confirmed active exploitation |
| EPSS Score | 25% | FIRST EPSS API | Predicted exploitation probability |
| CVSS Base Score | 20% | NVD API v2.0 | Intrinsic vulnerability severity |
| Asset Criticality | 15% | CMDB/Asset inventory | Business impact context |
| Network Exposure | 10% | Network architecture | Attack surface accessibility |
| KEV Listed | EPSS > 0.5 | CVSS >= 9.0 | Priority | SLA |
|---|---|---|---|---|
| Yes | Any | Any | P1-Emergency | 48 hours |
| No | Yes | Yes | P1-Emergency | 48 hours |
| No | Yes | No | P2-Critical | 7 days |
| No | No | Yes | P2-Critical | 7 days |
| No | No | No (>= 7.0) | P3-High | 14 days |
| No | No | No (>= 4.0) | P4-Medium | 30 days |
| No | No | No (< 4.0) | P5-Low | 90 days |
import requests
import json
from datetime import datetime
KEV_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
def fetch_kev_catalog():
"""Download and parse the CISA KEV catalog."""
response = requests.get(KEV_URL, timeout=30)
response.raise_for_status()
data = response.json()
catalog = {}
for vuln in data.get("vulnerabilities", []):
cve_id = vuln["cveID"]
catalog[cve_id] = {
"vendor": vuln.get("vendorProject", ""),
"product": vuln.get("product", ""),
"name": vuln.get("vulnerabilityName", ""),
"date_added": vuln.get("dateAdded", ""),
"description": vuln.get("shortDescription", ""),
"action": vuln.get("requiredAction", ""),
"due_date": vuln.get("dueDate", ""),
"ransomware_use": vuln.get("knownRansomwareCampaignUse", "Unknown"),
}
print(f"[+] Loaded {len(catalog)} CVEs from CISA KEV catalog")
print(f" Catalog version: {data.get('catalogVersion', 'N/A')}")
print(f" Last updated: {data.get('dateReleased', 'N/A')}")
return catalog
kev = fetch_kev_catalog()
EPSS_API = "https://api.first.org/data/v1/epss"
def get_epss_scores(cve_list):
"""Fetch EPSS scores for a batch of CVEs."""
scores = {}
batch_size = 100
for i in range(0, len(cve_list), batch_size):
batch = cve_list[i:i + batch_size]
cve_param = ",".join(batch)
response = requests.get(EPSS_API, params={"cve": cve_param}, timeout=30)
if response.status_code == 200:
for entry in response.json().get("data", []):
scores[entry["cve"]] = {
"epss": float(entry.get("epss", 0)),
"percentile": float(entry.get("percentile", 0)),
}
return scores
import pandas as pd
def prioritize_vulnerabilities(scan_results, kev_catalog, epss_scores):
"""Apply multi-factor prioritization to scan results."""
prioritized = []
for vuln in scan_results:
cve_id = vuln.get("cve_id", "")
cvss_score = float(vuln.get("cvss_score", 0))
asset_criticality = float(vuln.get("asset_criticality", 3))
exposure = float(vuln.get("network_exposure", 3))
in_kev = cve_id in kev_catalog
kev_data = kev_catalog.get(cve_id, {})
epss_data = epss_scores.get(cve_id, {"epss": 0, "percentile": 0})
epss_score = epss_data["epss"]
# Composite risk score calculation
risk_score = (
(1.0 if in_kev else 0.0) * 10 * 0.30 +
epss_score * 10 * 0.25 +
cvss_score * 0.20 +
(asset_criticality / 5.0) * 10 * 0.15 +
(exposure / 5.0) * 10 * 0.10
)
# Assign priority level
if in_kev or (epss_score > 0.5 and cvss_score >= 9.0):
priority = "P1-Emergency"
sla_days = 2
elif epss_score > 0.5 or cvss_score >= 9.0:
priority = "P2-Critical"
sla_days = 7
elif cvss_score >= 7.0:
priority = "P3-High"
sla_days = 14
elif cvss_score >= 4.0:
priority = "P4-Medium"
sla_days = 30
else:
priority = "P5-Low"
sla_days = 90
prioritized.append({
"cve_id": cve_id,
"cvss_score": cvss_score,
"epss_score": round(epss_score, 4),
"epss_percentile": round(epss_data["percentile"], 4),
"in_cisa_kev": in_kev,
"ransomware_use": kev_data.get("ransomware_use", "N/A"),
"kev_due_date": kev_data.get("due_date", "N/A"),
"risk_score": round(risk_score, 2),
"priority": priority,
"sla_days": sla_days,
"asset": vuln.get("asset", ""),
"asset_criticality": asset_criticality,
})
df = pd.DataFrame(prioritized)
df = df.sort_values("risk_score", ascending=False)
return df
def generate_report(df, output_file="kev_prioritized_report.csv"):
"""Generate summary report from prioritized vulnerabilities."""
print("\n" + "=" * 70)
print("VULNERABILITY PRIORITIZATION REPORT - KEV + EPSS + CVSS")
print("=" * 70)
print(f"\nTotal vulnerabilities analyzed: {len(df)}")
print(f"KEV-listed vulnerabilities: {df['in_cisa_kev'].sum()}")
print(f"Ransomware-associated: {(df['ransomware_use'] == 'Known').sum()}")
print("\nPriority Distribution:")
print(df["priority"].value_counts().to_string())
print("\nTop 15 Highest Risk Vulnerabilities:")
top = df.head(15)[["cve_id", "cvss_score", "epss_score", "in_cisa_kev",
"risk_score", "priority"]]
print(top.to_string(index=False))
df.to_csv(output_file, index=False)
print(f"\n[+] Full report saved to: {output_file}")