The Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog is the most authoritative publicly available list of cybersecurity vulnerabilities that have been observed in active exploitation against U.S. federal civilian executive branch agencies and the broader U.S. private-sector ecosystem. The catalog contains more than one thousand vulnerability entries, each of which names the affected vendor, the affected product, the vulnerability identifier (CVE), the date the vulnerability was added to the catalog, and the required-remediation date for federal civilian agencies. Together with the related CISA advisory archive (Cybersecurity Advisories, Industrial Control Systems Advisories, and Joint Cybersecurity Advisories), the KEV catalog constitutes the most product-name-dense public cybersecurity archive in the United States — and almost none of it is being systematically extracted as social proof by the cybersecurity-tooling, vulnerability-management, patching-platform, and managed-detection-and-response companies whose products are being mentioned.
The under-extraction is not because the archives are inaccessible. CISA publishes the KEV catalog as a public JSON feed with consistent field structure across entries; the advisory archive is published as a searchable HTML library with consistent narrative structure across advisories. The under-extraction is because the cybersecurity social-proof workflow has not been constructed to handle the regulatory-disclosure source format — the KEV entry reads as a vulnerability listing rather than as a product endorsement, and the advisory narrative reads as a security warning rather than as a customer outcome. This guide formalizes the four-stage extraction workflow that converts the archives into citable customer outcomes, the discrimination between the vulnerability-listing axis and the remediation-disclosure axis, and the attribution-safe quoting framework that meets the legal and reputational requirements for using the archives in cybersecurity marketing materials.
Why the CISA archives are under-extracted as social proof
The KEV catalog is the most counterintuitive social-proof source in the cybersecurity sector. The surface read of a catalog entry is the description of a vulnerability — the CVE identifier, the affected vendor, the affected product, the description of the exploit technique. The cybersecurity product company being mentioned is being mentioned as the party whose product contained the vulnerability, and the surface read of the entry is therefore negative.
The under-extraction is the failure to recognize that the KEV catalog contains the vendor's remediation cadence in addition to the vulnerability itself. CISA records the date the vulnerability was added to the catalog, the date by which federal civilian agencies must remediate the vulnerability, and the public patch-availability date that the vendor announced. The relationship among these three dates is the extractable social proof — a vendor whose patch-availability date precedes the catalog-addition date is a vendor whose disclosure-and-remediation discipline anticipates the federal mandate, and a vendor whose patch is widely available before the remediation deadline is a vendor whose customer base is operationally prepared for the deadline. The remediation-cadence content is the extractable social proof that the surface-read approach misses.
The CISA advisory archive is the second source. The advisory is the narrative instrument through which CISA describes a cybersecurity incident, an industrial-control-system vulnerability, or a joint-agency cybersecurity finding. The advisory typically includes a remediation-recommendations section that names the cybersecurity tools, the patching platforms, the detection signatures, and the configuration-hardening guidance that the customer should deploy. The remediation-recommendations content is extractable as social proof of the cybersecurity vendor's inclusion in the CISA-recommended response posture; the surface-read approach misses the proof because the recommendations are embedded in a regulatory advisory that reads as adverse rather than as commercial endorsement.
The two sources are complementary because they cover different stages of the vulnerability lifecycle. The KEV catalog covers the post-disclosure-active-exploitation stage and the vendor's remediation discipline; the advisory archive covers the active-incident-response stage and the cybersecurity-vendor inclusion in the CISA-recommended posture. The extraction workflow that handles both sources produces a social-proof asset library that covers both the remediation-cadence axis and the CISA-recommended-posture axis — and the library reads as more credible than a marketing-constructed social-proof library because the source materials are public regulatory records that the prospective customer can independently verify.
The four-stage extraction workflow
The extraction workflow consists of four sequential stages that convert the source archives into citable customer outcomes. The workflow is designed to maintain the legal, reputational, and operational safety of the extracted content; the staged construction prevents the premature publication of content that has not been verified for the attribution-safe quoting requirements that cybersecurity marketing must meet.
Stage 1 — Source-archive identification and corpus construction
The first stage identifies the source archives relevant to the cybersecurity product company and constructs a corpus of source documents for extraction. The KEV catalog is identified by the vendor-name field; the catalog query returns the catalog entries naming the vendor's products. The advisory archive is identified by the vendor-name reference in the advisory narrative; the archive query returns the advisories in which the vendor's products are named either as the affected product (for ICS advisories) or as the recommended cybersecurity tool (for Joint Cybersecurity Advisories and Cybersecurity Advisories).
The corpus should include the KEV catalog entries for the past thirty-six months and the advisory archive entries for the past sixty months. The thirty-six-month window for KEV entries is the timeframe over which the federal-civilian-remediation deadline is most operationally salient to the prospective customer evaluating the cybersecurity product. The sixty-month window for advisories is the timeframe over which the recommended cybersecurity posture is most operationally salient; advisories older than sixty months frequently reference cybersecurity tools or detection signatures that are no longer current. The corpus construction should exclude KEV entries for which the vendor has not yet published a patch (the in-progress entries do not produce extractable customer outcomes because the remediation-cadence proof is not yet established).
Stage 2 — Vulnerability-listing axis and remediation-disclosure axis discrimination
The second stage discriminates the two source axes that the catalog and the advisory archive expose. The discrimination is essential because the marketing application differs by axis and because the legal-reputational risk profile differs by axis.
The vulnerability-listing axis is the KEV catalog axis that records the vendor's product as the affected product. The marketing application along this axis is the remediation-cadence proof — the prospective customer can independently verify that the vendor's patch-availability date precedes (or closely follows) the catalog-addition date, and the prospective customer can independently verify that the vendor's customer-communication cadence (security-advisory publication, patch-deployment guidance, customer-notification email) is operationally prepared for the federal-civilian-remediation deadline. The marketing material constructed along this axis must avoid the inversion failure — must not present the catalog entry as if the catalog were endorsing the product, when the catalog is actually listing the product as affected.
The remediation-disclosure axis is the advisory archive axis that records the vendor's product as the recommended cybersecurity tool. The marketing application along this axis is the CISA-recommended-posture proof — the prospective customer can independently verify that the vendor's product is named in the CISA advisory as part of the recommended response posture for the incident the advisory describes. The marketing material constructed along this axis must avoid the over-attribution failure — must not present the advisory's recommendation as if it were a CISA endorsement of the vendor in general, when the recommendation is specific to the incident the advisory describes.
Stage 3 — Attribution-safe quoting framework application
The third stage applies the attribution-safe quoting framework that converts the discriminated source content into quotable content suitable for marketing use. The framework operates along three axes — the source-attribution axis (how the source is identified in the marketing material), the temporal-attribution axis (how the date of the source is identified), and the scope-attribution axis (how the specificity of the source's recommendation is preserved). The three axes are independent and the framework requires the marketing-use construction to handle all three correctly.
The source-attribution axis requires the marketing material to identify the source archive — "as listed in the CISA Known Exploited Vulnerabilities catalog", "as recommended in the CISA Cybersecurity Advisory", "as named in the CISA Joint Cybersecurity Advisory" — in a manner that allows the prospective customer to verify the source independently. The verification requirement is the basis for the credibility of the extracted content; the prospective customer who can verify the source treats the content as a public-record citation rather than as a marketing assertion.
The temporal-attribution axis requires the marketing material to identify the date of the catalog entry or the advisory in a manner that preserves the operational relevance of the source. The catalog entries become operationally less salient as the federal-civilian-remediation deadline recedes into the past; the advisories become operationally less salient as the incident the advisory describes recedes into the past. The attribution should include the catalog-addition date and the remediation-deadline date for KEV citations, and the advisory-publication date and the incident-period for advisory citations.
The scope-attribution axis requires the marketing material to preserve the specificity of the source's recommendation. The advisory recommendation that names the vendor's product as part of the recommended response posture for a specific incident must be cited as such — the marketing material must not generalize the specific recommendation into a general CISA endorsement of the vendor. The scope-attribution discipline prevents the over-attribution failure that would undermine the credibility of the extracted content when the prospective customer verifies the source.
Stage 4 — Quality verification and publication-readiness review
The fourth stage performs the quality verification and publication-readiness review before the extracted content is incorporated into marketing materials. The verification consists of three checks — the source-citation accuracy check (the cited CVE identifier or advisory identifier resolves to the cited source), the quote-fidelity check (the quoted text matches the source text without alteration), and the legal-compliance check (the use of the source complies with CISA's terms of use and with the applicable cybersecurity-marketing conventions). For complementary public-record extraction discipline, see the customer bug bounty report and coordinated vulnerability disclosure product mentions extraction workflow guide and the customer threat intelligence feed and IoC sharing disclosure product mentions extraction workflow guide.
The publication-readiness review applies the cybersecurity-marketing risk framework — the framework that evaluates the reputational risk of publishing the extracted content. The framework requires the extracted content to be evaluated against three risk dimensions — the patch-currency dimension (whether the catalog entry reflects a vulnerability for which the vendor's patch is currently deployed across the customer base, rather than a vulnerability for which the patch deployment is still in progress), the advisory-currency dimension (whether the advisory reflects an active-incident-response posture or a historical posture that has been superseded), and the scope-fidelity dimension (whether the marketing material preserves the specific scope of the advisory recommendation rather than over-attributing). The content that passes the three-dimensional review is suitable for publication; the content that fails any dimension should be held back from publication until the failed dimension can be remediated.
The discrimination between the vulnerability-listing axis and the remediation-disclosure axis
The two source axes produce complementary but distinct social-proof content, and the marketing application should preserve the discrimination between the axes. The vulnerability-listing axis produces remediation-cadence content — the proof that the vendor's disclosure-and-remediation discipline is operationally prepared for the federal mandate. The remediation-disclosure axis produces CISA-recommended-posture content — the proof that the vendor's product is named in the CISA-recommended response posture for a specific incident.
The remediation-cadence content is suitable for the marketing-use cases that emphasize the vendor's operational discipline — vendor-security-advisory landing pages, customer-trust-and-safety documentation, and enterprise-procurement-collateral that demonstrates the vendor's response-readiness posture. The CISA-recommended-posture content is suitable for the marketing-use cases that emphasize the vendor's inclusion in the federal-civilian cybersecurity ecosystem — federal-civilian-sales collateral, public-sector procurement materials, and incident-response-services collateral that demonstrates the vendor's alignment with the CISA-recommended posture.
The two content types should be presented separately in the marketing-asset library. The cross-presentation failure — presenting the remediation-cadence content as if it were CISA-recommended-posture content, or presenting the CISA-recommended-posture content as if it were remediation-cadence content — is recognized by procurement evaluators as a credibility-undermining misattribution. Preserving the axis discrimination is the cheapest defense against the cross-presentation failure.
Field structure and extraction tooling
The KEV catalog is published as a JSON feed with the following field structure for each entry: cveID, vendorProject, product, vulnerabilityName, dateAdded, shortDescription, requiredAction, dueDate, knownRansomwareCampaignUse, notes, and cwes. The extraction tooling should consume the JSON feed directly and should index entries by the vendorProject field for the vendor whose products are being extracted as social proof. The dueDate field is the federal-civilian-remediation deadline and is the central date for the temporal-attribution axis; the dateAdded field is the catalog-addition date and is the central date for the remediation-cadence axis.
The CISA advisory archive is published as an HTML library at the agency's website with consistent advisory-page structure across entries. The extraction tooling should consume the advisory HTML directly, parse the recommended-actions section, and index the named vendor products. The advisory-publication date is exposed in the page metadata; the incident-period is exposed in the advisory body and should be extracted as a temporal-attribution field.
The tooling investment is modest — a single ETL pipeline that consumes the JSON feed and parses the HTML library produces an extraction-ready dataset that updates as CISA publishes new entries and new advisories. The pipeline should run on a daily cadence so the extracted content stays current with the source archives.
Worked example: applying the workflow to a single KEV entry
Consider a KEV catalog entry for a vulnerability in a vendor's enterprise-VPN product. The entry records the CVE identifier, the vendor name, the product name, the vulnerability description (a credential-bypass vulnerability), the date the vulnerability was added to the catalog, and the federal-civilian-remediation deadline (twenty-one days after the catalog-addition date).
Stage 1 identifies the entry as part of the corpus for the vendor's enterprise-VPN product. Stage 2 discriminates the axis — the entry is along the vulnerability-listing axis (the vendor's product is the affected product, not a CISA-recommended response tool). Stage 3 applies the attribution-safe quoting framework — the marketing material can cite the entry to show that the vendor published the patch ten days before the catalog-addition date and that the vendor's customer-communication cadence supported customers in meeting the federal-civilian-remediation deadline. The citation includes the source attribution ("as listed in the CISA KEV catalog"), the temporal attribution (catalog-addition date and remediation-deadline date), and the scope attribution (the citation is to the specific catalog entry and not to a general CISA endorsement). Stage 4 verifies that the CVE identifier resolves to the cited entry, that the quoted text matches the source text, and that the use of the source complies with CISA's terms of use.
The resulting marketing asset is a remediation-cadence proof point that the prospective customer can independently verify against the public KEV catalog. The asset reads as more credible than a marketing-constructed asset of similar content because the source material is a public regulatory record and the attribution preserves the specificity of the source.
Conclusion
The CISA KEV catalog and the CISA advisory archive together constitute the most product-name-dense public cybersecurity archive in the United States, and the archives are systematically under-extracted as social proof by the cybersecurity-tooling, vulnerability-management, patching-platform, and managed-detection-and-response companies whose products are being mentioned. The four-stage extraction workflow (source-archive identification and corpus construction, vulnerability-listing-axis and remediation-disclosure-axis discrimination, attribution-safe quoting framework application, quality verification and publication-readiness review) converts the archives into citable customer outcomes that the cybersecurity product company can use as social proof. The discrimination between the vulnerability-listing axis and the remediation-disclosure axis prevents the cross-presentation failure and the over-attribution failure, and the attribution-safe quoting framework meets the legal and reputational requirements for using the archives in cybersecurity marketing materials. The result is a social-proof asset library that documents the vendor's remediation-cadence discipline and the vendor's inclusion in the CISA-recommended response posture, and that the prospective customer can independently verify against the public CISA archives.