The Catalog That Quietly Became the Industry’s Compliance Clock
The CISA Known Exploited Vulnerabilities catalog began as a federal patch-management tool. In 2026 it is something larger: the de-facto compliance clock for the entire security market. When CISA adds a CVE to the KEV catalog, it is making a specific, load-bearing claim — this flaw is being exploited right now — and it attaches a binding remediation deadline. Federal civilian agencies must meet that deadline by mandate; everyone else meets it because cyber-insurance underwriters, enterprise-security programs, and contracting compliance chains have adopted KEV deadlines as the standard they measure against.
The catalog’s scale is the first thing to understand. It closed 2025 at 1,484 entries, with 245 added during 2025 alone — a 20% year-over-year increase, and more than 30% above the trend of 2023 and 2024. The cadence has not slowed in 2026; CISA is publishing updates more frequently, with more vulnerabilities per update, than the year before. The catalog is not a static reference. It is a continuously growing, continuously deadline-bearing stream.
See the IAN team run on your cloud. We connect to your AWS account via a scoped read-only role, run the Observe-tier agents, and leave you with a concrete audit report — cost waste, security exposure, compliance gaps, and a labor-offset estimate. You keep the findings regardless of next steps. Get a free infrastructure audit →
What the Concentration Tells You About Where to Watch
A catalog of 1,484 entries sounds unmanageable until you look at the concentration, which is where the operating leverage lives.
The vendor distribution is steeply skewed. Microsoft accounts for roughly 350 entries — nearly 24% of the entire catalog — a reflection of its footprint across operating systems, productivity software, and enterprise applications. Apple ranks second with 86, Cisco third with 82, Adobe with 76, and Google with 67. Five vendors carry a large fraction of the entire exploited-in-the-wild surface.
Within Cisco’s 82, a sharper concentration: fifteen entries are Cisco SD-WAN, and six of those are 2026 zero-days, two reaching CVSS 10.0. A single network-control-plane product family produced six confirmed-exploited zero-days in under half a year. And the exposure is not academic: roughly 20.5% of all catalog entries — 304 of 1,484 — have been used by ransomware groups, which is the cleanest available signal of which exploited flaws turn into business-ending incidents.
The concentration is the actionable part. It says the watch is not a uniform sweep across 1,484 equally-weighted entries. It is a risk-weighted, vendor-aware, product-class-aware reconciliation that knows the organization’s Microsoft surface and its network-control-plane surface are where the catalog is densest and the ransomware overlap is highest.
The KEV Deadline Is the Load-Bearing Artifact — and 2026 Proved It Four Times
Across the spring of 2026, the IAN catalog has anchored four separate security pieces on a single shared artifact: the KEV deadline.
- The n8n CVE-2025-68613 piece anchored on a KEV deadline against the workflow-automation control plane.
- The Nx Console CVE-2026-48027 piece anchored on a KEV deadline (2026-06-10) against the developer-tooling supply chain.
- The Cisco SD-WAN CVE-2026-20182 piece anchored on a three-day KEV deadline (added 2026-05-14, due 2026-05-17) against the network control plane.
- And the source-control-plane and secrets-sprawl pieces sit in the same frame.
In every case the deadline is the load-bearing object — the thing that converts a CVE from an advisory into a dated obligation with audit, insurance, and contracting consequences. The 2026 lesson is that vulnerability management is no longer scored by how many CVEs you closed. It is scored by whether you met the KEV deadline on the ones that were being exploited — and by whether you can prove it.
KEV-Watch-and-Deadline-Reconciliation Is a Continuous Compliance Workload
The classical vulnerability-management model is a periodic scan: run the scanner, generate a report, file tickets, work the backlog. That model assumed the exploitation signal changed slowly enough that a periodic pass could keep up. The 2026 KEV cadence — more frequent updates, more entries per update, three-day deadlines on control-plane flaws — retires that assumption the same way the FinOps numbers retired the quarterly cost review.
What continuous KEV-deadline-reconciliation actually demands, once the 2026 cadence is the operating assumption:
1. Continuous join of the KEV stream to a live asset inventory. The KEV catalog is the exploitation signal; the asset inventory is the exposure surface. The continuous join — which new KEV entry hits which running asset, at which version, with which deadline — is the core workload. A KEV entry against a product you do not know you run is a missed deadline waiting to happen.
2. Risk-weighting by concentration and ransomware overlap. Not every KEV entry is equal. The watch weights the dense vendor surfaces (the Microsoft ~24%, the network-control-plane cluster) and the ~20.5% ransomware-overlap set, so the scarce remediation capacity goes to the entries most likely to become incidents.
3. Deadline-driven remediation under capability-tier governance. A three-day deadline cannot wait for a weekly change-approval meeting. Reversible, scoped mitigations are Operate-tier actions that auto-execute; irreversible upgrades are Administer-tier actions gated behind explicit approval. The governance model is what lets the fast path run automatically while the irreversible path stays human-controlled.
4. Deadline tracking as a first-class object per affected asset. Every KEV entry that maps to a running asset carries its own deadline clock, tracked per asset, surfaced before it expires — not discovered after the fact in an audit.
5. An immutable, auditor-readable evidence trail. This is the part that makes it a compliance workload and not just a security one. The deliverable is not “we patched it.” The deliverable is a complete, timestamped record: when the KEV entry appeared, when the affected asset was identified, when the mitigation landed, when the patch confirmed, who approved the irreversible step. That record is what the SOC 2 auditor, the cyber-insurance underwriter, and the federal-contracting compliance chain actually ask for.
Each of these is a continuous workload against a stream that grows 20% a year and accelerates inside the year. The aggregate exceeds what a stretched compliance-and-security team can carry by hand.
How IAN Helps: A Compliance Agent on the Active Operational Layer
The active operational layer is the response. IAN runs a team of specialized agents rather than a dashboard that reports the backlog. A compliance agent continuously reconciles the KEV stream against the live asset inventory, weights the result by vendor concentration and ransomware overlap, tracks each deadline as a first-class object per affected asset, and assembles the auditor-readable evidence trail automatically. It coordinates with the security agent on the exploitation signal and the remediation execution, and with the resource-operations agent on the asset-and-version inventory the whole reconciliation depends on. Every action — every detection, mitigation, approval, and patch confirmation — lands in the immutable audit trail that is itself the compliance deliverable.
The capability-tier model — Observe / Operate / Administer — is what makes deadline-driven autonomy safe: Observe-tier reconciliation runs continuously and fully audited, Operate-tier mitigations auto-execute when reversible and in-policy, and Administer-tier upgrades and policy changes always require explicit approval. BYOK on the model keys keeps the customer’s inference spend in their own provider account, and the MCP-first interface lets the compliance and security teams drive the layer from the clients they already use.
The Three-Phase Rollout
Observe. The compliance agent connects read-only, builds the asset-and-version inventory, and continuously reconciles it against the KEV catalog — surfacing exactly which entries hit which running assets, with which deadline, risk-weighted by concentration and ransomware overlap, no action taken.
Operate. With approval gates configured, the agent drives the reversible, in-policy mitigations the moment a KEV entry maps to a running asset, tracks each deadline to closure, and queues the irreversible upgrades for approval — every step captured as evidence.
Cross-agent loop. The compliance agent, the security agent, and the resource-operations agent run as a coordinated team: the KEV stream drives the deadline, the inventory drives the exposure, the remediation drives the closure, and the immutable audit trail assembles the whole record into the compliance artifact the auditor and the underwriter actually ask for.
The 2026 read: the KEV catalog is the load-bearing compliance clock of the year, the deadlines are getting shorter and the stream is getting denser, and KEV-watch-and-deadline-reconciliation is a continuous compliance workload the active operational layer was built to run.
Next step: talk to the team
30 minutes. We'll look at your cloud together and scope what we'd take off your plate — see pricing.