KEV, EPSS, and ExploitDB: How to Read Threat-Intel Signals

Threat-intel feeds get name-dropped constantly, but they answer different questions and fail in different ways. Used well, they turn a severity list into a risk ranking. Used carelessly, they're just more columns to ignore.

CISA KEV — is it being exploited right now?

The Known Exploited Vulnerabilities catalog is a curated list of CVEs that CISA has confirmed are exploited in the wild. It's high-precision and low-noise: a KEV entry is about as strong a "fix this" signal as exists. The trade-off is recall — a vulnerability can be exploited well before it lands in KEV, so absence from KEV is not evidence of safety.

EPSS — how likely is exploitation soon?

The Exploit Prediction Scoring System gives each CVE a probability (0–100%) of being exploited in the next 30 days, refreshed daily from real-world data. It's the probabilistic complement to KEV's binary signal: great for triaging the long tail of CVEs that aren't in KEV yet. Treat it as a gradient, not a threshold — and remember the score moves over time.

ExploitDB — does working code exist?

A public exploit changes the economics of an attack. ExploitDB tells you whether usable exploit code is publicly available — which is a very different risk than a vulnerability that's only theoretically exploitable. Public exploit + internet-facing + in-range version is about as actionable as a finding gets.

Layering the signals

No single feed is the answer. Argus combines them — version-aware, so they only apply when the CVE actually affects what you run:

• KEV → escalate hard; it jumps the queue.
• High EPSS → prioritise even without a KEV listing.
• Public exploit → raise urgency further, especially when exposed.
• Ransomware linkage → KEV entries tied to known campaigns get extra weight.

Threat intel should only ever add to a score, never found it — so a feed outage degrades precision, not visibility.

That last principle matters. Argus computes a feed-independent risk floor from observed exposure and intrinsic exploitability first, then lets threat intel escalate from there. If a feed is down, you still see the finding — you just lose some of the sharpening.