KEV, OSV, EPSS: how to actually read open-source threat feeds
Over 3,000 CVEs are published in a typical month. If your vulnerability management program treats them all equally, it manages none of them. The good news: the best prioritization data is free, public, and machine-readable. Our threat dashboard is built entirely from these sources - this post explains what each one actually tells you.
CISA KEV: what is being exploited right now
The Known Exploited Vulnerabilities catalog is the highest-signal list in the industry. A CVE only enters KEV when there is reliable evidence of active exploitation in the wild - not proof-of-concept code, not theoretical severity, actual attacks. US federal agencies are legally required to remediate KEV entries on a deadline; you should treat them with the same urgency.
If a CVE in your stack appears in KEV, that is a drop-everything event. There are only a few dozen additions per month, which is exactly what makes it actionable.
OSV: the open-source dependency view
OSV.dev (Open Source Vulnerabilities) maps advisories to the exact
package ecosystems developers live in: npm, PyPI, Go modules, crates.io, Maven, and more.
Where a CVE says “software X is affected,” OSV says “package foo versions >=1.2, <1.4.7 are affected” - which is what your lockfile actually needs.
Because the schema is precise and the API is free, OSV is what powers most modern dependency scanners. If you ship software, your CI should be asking OSV about every dependency on every build.
EPSS: the probability layer
The Exploit Prediction Scoring System assigns every CVE a daily-updated probability of exploitation in the next 30 days, learned from real exploitation telemetry. CVSS tells you how bad a vulnerability could be; EPSS tells you how likely someone will use it.
The practical combination is a two-axis triage: KEV membership or high EPSS → fix now; high CVSS but negligible EPSS → schedule it. That single rule eliminates most of the noise a CVSS-only program drowns in.
How our dashboard uses them
The threat dashboard on this site refreshes these feeds server-side every few hours: recent KEV additions, high-severity NVD entries, ecosystem advisories from OSV, and the day’s top EPSS movers - plus a map of real attack traffic our own WAF blocks. No third-party requests happen in your browser; our server fetches, aggregates, and serves everything first-party.
It is the same triage view we run for clients - published, because transparency about method is the cheapest trust signal there is.
Get new posts by email
Security engineering, compliance without theatre, open-source threat intel. No tracking, no forwarding your address, unsubscribe in one click.