Cybersecurity professionals have lengthy been informed that visibility is the muse of safety. If you already know which vulnerabilities are being exploited, you already know the place to focus. Budgets, dashboards, compliance audits, and patching methods are constructed round this concept. Nevertheless, the idea solely holds true if the supply of “visibility” precisely displays actuality. Immediately, it not does.
Fashionable software program stacks are inextricably linked to open supply. In accordance with the 2025 Open Supply Safety and Threat Evaluation report, 97% of functions embody open supply elements, accounting for roughly 70% of the common codebase and greater than 900 elements per utility. In observe, meaning most organizations are depending on code they didn’t write, can’t straight management, and will by no means absolutely stock.
Because the dependency chain grows, publicity scales with it. Each new library, framework, or imported module provides its personal potential assault path, and all attackers want is one.
Why a Catalog of “Identified Exploited Vulnerabilities” Can’t Hold Enterprises Secure Anymore
When the U.S. Cybersecurity and Infrastructure Safety Company (CISA) launched the Identified Exploited Vulnerabilities (KEV) listing in 2021, it addressed an pressing want: distinguishing between theoretical CVEs and people confirmed to be exploited within the wild. The emergence of KEV allowed safety groups to prioritize what was truly harmful reasonably than what was merely doable.
In that period, KEV represented progress. In at present’s period, it represents latency.
Miggo Safety’s latest analysis reveals a actuality the trade has been reluctant to confront: KEV represents a minority of real exploit danger. After analyzing greater than 24,000 open supply vulnerabilities from the GitHub Safety Advisory (GHSA) database, Miggo’s analysis group recognized 572 vulnerabilities with a minimum of one GitHub-hosted exploit repository.
Solely 69 of these 572 exploits seem in KEV.
The miss isn’t selective; it’s structural. Among the many verified exploit set:
- 407 weaponized or absolutely useful exploits have been recognized
- 165 have been proof-of-concept exploits
KEV recorded solely 68 of the 407 useful exploits, and simply 1 of the 165 proof-of-concept exploits. This isn’t a rounding error. It’s proof that organizations relying closely on KEV are blind to a lot of the weaponized exploits that exist already in public repositories.
Exploitation Has Outgrown Verification
Miggo defines the discrepancy because the KEV Hole, the gap between what’s actively exploitable and what the KEV catalog acknowledges. That distance more and more widens resulting from a converging set of pressures, which Miggo identifies because the 4 Vs of contemporary exploitation: Quantity, Variants, Velocity, and Visibility.
Probably the most destabilizing of the 4 is velocity. Exploitation used to unfold over months. Then weeks. In accordance with Miggo, AI-assisted risk actors can weaponize vulnerabilities inside minutes of their disclosure. The velocity of exploitation has surpassed the velocity of verification, and KEV is basically a verification-based system.
KEV can solely embody vulnerabilities which have been confirmed to be actively exploited. However attackers aren’t ready for affirmation to strike. They merely use the publicly revealed exploit code, and there’s no requirement for a breach to be reported or validated earlier than the assault is executed.
This forces a query the trade has averted for years: If exploitation is absolutely automated and affirmation just isn’t, how can a confirmation-based protection mannequin survive?
Protection Shifts From Classification to Prevention Contained in the Runtime
Miggo’s reply is to not repair KEV however to switch the position KEV has been filling. The corporate proposes a proactive runtime protection mannequin, know-how that operates inside stay functions to find out whether or not a vulnerability is exploitable in that particular atmosphere and robotically deploys AI-generated digital patching to dam the assault path.
On this mannequin, mitigation doesn’t rely upon:
- a CVE being revealed
- KEV itemizing it
- a patch being issued
- incident affirmation
As an alternative, runtime safety makes use of utility conduct, knowledge move, and execution paths to cease exploits the second they happen, whether or not documented or not.
Miggo states that this reduces time-to-mitigation from weeks or months to seconds, shopping for engineering groups respiratory room to use everlasting patches reasonably than firefight manufacturing assaults.
The New Boundary of Cybersecurity Is The place Code Runs
Miggo isn’t arguing that KEV ought to disappear; it argues that KEV can not anchor danger technique. KEV was constructed for a world the place exploitation was guide. Exploitation just isn’t guide anymore.
The calculus has modified. Organizations are flooded with vulnerabilities. Attackers exploit at machine velocity. AI fashions are embedded straight in software program techniques. Static lists have been by no means designed for this atmosphere.
Miggo’s analysis factors to an uncomfortable however mandatory evolution: cyber protection should transfer from figuring out weak code to interrupting exploitable conduct contained in the runtime itself. Software program is now dynamic, and danger is, too. It follows that safety should even be dynamic.
