🚨 CISA KEV Scraper

🚀 Export the U.S. federal Known Exploited Vulnerabilities catalogue in seconds. Track every CVE actively exploited in the wild with vendor, product, due date, and ransomware-campaign tagging from the official CISA KEV catalogue. No sign-up, no token, no manual CSV wrangling.

🕒 Last updated: 2026-05-15 · 📊 14 fields per record · 🚨 1,500+ exploited CVEs · 🏢 600+ vendors · ⏰ Federal due-date tracking

The CISA KEV Scraper pulls every entry from the U.S. Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities catalogue and returns 14 normalised fields per record, including the CVE ID, vendor, product, vulnerability name, addition date, required action, federal due date, ransomware-campaign flag, and associated CWE weaknesses. The catalogue is the single most important U.S. government list for vulnerability prioritisation. Federal civilian agencies are bound by Binding Operational Directive 22-01 to remediate every entry by its due date.

The catalogue covers 1,500+ CVEs across 600+ vendors and projects spanning operating systems, network gear, browsers, email servers, virtualisation platforms, and SaaS products. This Actor makes that data downloadable as CSV, Excel, JSON, or XML in seconds. Filters apply locally on the full catalogue snapshot, so you skip pagination, retry handling, and JSON-to-spreadsheet plumbing entirely.

🎯 Target Audience	💡 Primary Use Cases
Security operations teams, vulnerability managers, federal contractors, MSSPs, threat intel analysts, compliance officers, security tool builders	BOD 22-01 compliance, patch prioritisation, ransomware risk reports, SIEM enrichment, executive dashboards, incident response triage

---

📋 What the CISA KEV Scraper does

Six filtering workflows in a single run:

• 🌐 Full catalogue export. Every active KEV entry in one dataset.
• 🏢 Vendor filter. Restrict to a vendor like Microsoft, Cisco, or Apache.
• 📦 Product filter. Drill down to a specific product line like Windows or Log4j.
• 🆔 CVE filter. Find a single CVE in the catalogue.
• 💀 Ransomware-only filter. Restrict to CVEs flagged as Known ransomware campaign use.
• 🧬 CWE filter. Slice by weakness type, e.g. CWE-79,CWE-89.

Each record includes the CVE identifier, vendor and product, plain-English vulnerability name, short description, the action CISA requires, the due date federal agencies must meet, a normalised ransomware-use boolean, free-text notes, and the full CWE list.

💡 Why it matters: the CISA KEV catalogue is the single most actionable feed for vulnerability prioritisation. Building your own ingestion means handling JSON parsing, normalising the ransomware text field, and refreshing on cadence. This Actor skips all of that and gives you a clean, downloadable dataset.

---

🎬 Full Demo

🚧 Coming soon: a 3-minute walkthrough showing how to go from sign-up to a downloaded KEV dataset.

---

⚙️ Input

Input	Type	Default	Behavior
cveId	string	""	Case-insensitive substring match on CVE ID.
vendor	string	""	Case-insensitive substring match on vendor (e.g. Microsoft).
product	string	""	Case-insensitive substring match on product (e.g. Windows).
addedAfter	YYYY-MM-DD	""	Only include entries added to the catalogue on or after this date.
ransomwareOnly	boolean	false	Restrict to CVEs with knownRansomwareCampaignUse = "Known".
cwes	string	""	Comma-separated CWE IDs (e.g. CWE-79,CWE-89,787).
requiredActionDueAfter	YYYY-MM-DD	""	Only include entries with a federal due date on or after this date.
maxItems	integer	10	Records to return. Free plan caps at 10, paid plan at 1,000,000.

Example: every Microsoft KEV entry actively used in ransomware campaigns.

{
    "vendor": "Microsoft",
    "ransomwareOnly": true,
    "maxItems": 200
}

Example: KEV entries added in 2025 with upcoming federal due dates.

{
    "addedAfter": "2025-01-01",
    "requiredActionDueAfter": "2025-06-01",
    "maxItems": 500
}

⚠️ Good to Know: federal civilian agencies must remediate KEV entries by the published due date under BOD 22-01. Private organisations are not legally bound but the catalogue remains the highest-signal prioritisation list available.

---

📊 Output

Each record contains 14 fields. Download the dataset as CSV, Excel, JSON, or XML.

🧾 Schema

Field	Type	Example
🆔 cveID	string	"CVE-2021-44228"
🔗 url	string	"https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
🏢 vendorProject	string	"Apache"
📦 product	string	"Log4j2"
🏷️ vulnerabilityName	string	"Apache Log4j2 Remote Code Execution Vulnerability"
📅 dateAdded	YYYY-MM-DD	"2021-12-10"
📝 shortDescription	string	"Apache Log4j2 contains a vulnerability where JNDI features..."
🛠️ requiredAction	string	"For all affected software assets... apply mitigations..."
⏰ dueDate	YYYY-MM-DD	"2021-12-24"
💀 knownRansomwareCampaignUse	boolean | null	true
💀 knownRansomwareCampaignUseRaw	string | null	"Known"
📝 notes	string | null	"https://logging.apache.org/log4j/2.x/security.html;..."
🧬 cwes	string[]	["CWE-20", "CWE-400", "CWE-502"]
🕒 scrapedAt	ISO 8601	"2026-05-15T00:00:00.000Z"

📦 Sample record

---

✨ Why choose this Actor

	Capability
🚨	Authoritative source. Pulls directly from the official CISA KEV catalogue, the U.S. federal exploited-vulnerability list.
⏰	Federal due dates. Each entry carries the BOD 22-01 remediation deadline for federal civilian agencies.
💀	Ransomware tagging. Both raw text and a normalised boolean for knownRansomwareCampaignUse.
🧬	CWE mapping. Each KEV entry is paired with its full list of weakness IDs.
🔍	Six filters. Vendor, product, CVE, date-added, due-date, ransomware-only, and CWE all combine freely in one run.
🔁	Always fresh. Every run hits the live catalogue, so the dataset reflects current entries and ransomware flags.
🚫	No sign-up. Works with public U.S. government data. No login or token needed.

📊 The KEV catalogue is the single highest-signal vulnerability prioritisation list. Owning a clean local copy is a multiplier for every patch-management and SOC workflow.

---

📈 How it compares to alternatives

Approach	Cost	Coverage	Refresh	Filters	Setup
⭐ CISA KEV Scraper (this Actor)	$5 free credit, then pay-per-use	1,500+ CVEs	Live per run	vendor, product, CVE, date, CWE, ransomware	⚡ 2 min
Commercial threat-intel feeds	$10,000+/year	KEV + extra context	Streaming	Many	⏳ Days
Manual CSV downloads	Free	Full	Stale	None	🐢 Hours
Self-built ingestion	Engineering time	Full	Custom	Custom	🛠️ Weeks

Pick this Actor when you want the canonical KEV catalogue with normalised filters and ready-to-load output.

---

🚀 How to use

1. 📝 Sign up. Create a free account with $5 credit (takes 2 minutes).
2. 🌐 Open the Actor. Go to the CISA KEV Scraper page on the Apify Store.
3. 🎯 Set input. Pick a vendor, product, date filter, or leave blank for the full catalogue, then set maxItems.
4. 🚀 Run it. Click Start and let the Actor collect your data.
5. 📥 Download. Grab your results in the Dataset tab as CSV, Excel, JSON, or XML.

⏱️ Total time from signup to downloaded dataset: 3-5 minutes. No coding required.

---

💼 Business use cases

🛡️ Federal & Compliance Daily BOD 22-01 compliance dashboards for federal teams Evidence packs for FedRAMP and FISMA assessments Tracking remediation SLAs against KEV due dates Slack alerts when a CVE in your stack hits the catalogue	🔍 Vulnerability Management KEV-aware patch prioritisation queues Vendor scorecards based on KEV count over time Asset triage that fast-tracks KEV entries Cross-referencing KEV with internal scanner output
💀 Threat Intel & Ransomware Tracking Monitor new ransomware-use flags in near real time Build ransomware risk reports filtered by vendor or product Correlate KEV adds with ransomware group activity Customer-facing trust pages with ransomware exposure stats	📊 Executive Reporting Board dashboards showing KEV coverage and remediation rates Insurance underwriting models for cyber risk M&A due diligence on target attack-surface exposure Quarterly security posture reports for stakeholders

---

🔌 Automating CISA KEV Scraper

Control the scraper programmatically for scheduled runs and pipeline integrations:

• 🟢 Node.js. Install the apify-client NPM package.
• 🐍 Python. Use the apify-client PyPI package.
• 📚 See the Apify documentation for full details.

The Apify Schedules feature lets you trigger this Actor on any cron interval. Daily refreshes keep your downstream patch management and SOC workflows in sync automatically.

---

🌟 Beyond business use cases

Data like this powers more than commercial workflows. The same structured records support research, education, civic projects, and personal initiatives.

🎓 Research and academia KEV growth and remediation trend analysis for academic papers Vendor risk modelling for security economics research Coursework on vulnerability prioritisation and patching Reproducible studies with cited, versioned dataset pulls	🎨 Personal and creative Hobbyist KEV dashboards for home-lab security research Newsletter and blog research on the latest exploited CVEs Portfolio projects that show off security data engineering Personal alerting bots for vendors you actually use
🤝 Non-profit and civic Local government IT teams tracking exposure to known threats Civic-tech projects mapping risk for critical infrastructure Investigative journalism on ransomware-vendor patterns Community advocacy around responsible disclosure timelines	🧪 Experimentation Train ML models on KEV characteristics and remediation lag Prototype agent pipelines that summarise new entries Test SIEM rules against historical KEV waves Build dashboards on top of live KEV feeds

---

🤖 Ask an AI assistant about this scraper

Open a ready-to-send prompt about this ParseForge actor in the AI of your choice:

• 💬 ChatGPT
• 🧠 Claude
• 🔍 Perplexity
• 🅒 Copilot

---

❓ Frequently Asked Questions

🧩 How does it work?

Configure your filters in the input form, click Start, and the Actor pulls the latest KEV catalogue snapshot from CISA, applies your filters locally, and emits one clean record per matching entry.

📏 How accurate is the data?

Records are mirror-copies of the official CISA KEV catalogue at run time. Vendor, product, dates, descriptions, required actions, and CWE mappings are taken verbatim from the source.

🔁 How often is the dataset refreshed?

CISA updates the catalogue when a new exploited CVE is identified, typically several times per week. Every run reflects the catalogue as of run time.

💀 What does the ransomware flag mean?

knownRansomwareCampaignUse = true means CISA has confirmed observed use of the CVE in ransomware campaigns. false means CISA has no confirmed reports yet. The raw text field is also preserved if you need the exact source value.

⏰ What is the due date?

Federal civilian agencies must remediate the CVE by the due date under Binding Operational Directive 22-01. Private organisations are not legally bound but it remains the strongest recommended deadline.

🧬 What is a CWE?

CWE (Common Weakness Enumeration) is the standard taxonomy of software weaknesses. Each KEV entry is mapped to one or more CWE IDs that classify the underlying flaw type, like buffer overflow or cross-site scripting.

⏰ Can I schedule regular runs?

Yes. Use Apify Schedules to run this Actor on any cron interval. A common pattern is a daily schedule that pulls the catalogue and pushes new entries into a SIEM or ticketing system.

⚖️ Is this data legal to use?

The KEV catalogue is a U.S. government public dataset with no restrictions on use, including commercial use. You should still review the official terms for your specific application.

💳 Do I need a paid Apify plan to use this Actor?

No. The free Apify plan is enough for testing and small runs (10 records per run). A paid plan lifts the limit and gives you scheduling, higher concurrency, and larger datasets.

🔁 What happens if a run fails or gets interrupted?

Apify automatically retries transient errors. If a run still fails, you can inspect the log in the Runs tab, fix the input, and re-run. Partial datasets from failed runs are preserved so you never lose progress.

🆘 What if I need help?

Our support team is here to help. Contact us through the Apify platform or use the Tally form linked below.

---

🔌 Integrate with any app

CISA KEV Scraper connects to any cloud service via Apify integrations:

• Make - Automate multi-step workflows
• Zapier - Connect with 5,000+ apps
• Slack - Get KEV alerts in your security channels
• Airbyte - Pipe KEV data into your warehouse
• GitHub - Trigger runs from commits and releases
• Google Drive - Export datasets straight to Sheets

You can also use webhooks to trigger downstream actions when a run finishes. Push fresh KEV data into your ticketing system, or alert your team in Slack when a new entry hits the catalogue.

---

🔗 Recommended Actors

• 🛡️ NIST NVD CVE Scraper - Official NVD catalogue with CVSS v4/v3/v2 scores
• 📈 EPSS Exploit Prediction Scraper - 30-day exploitation probability scores
• 🐙 GitHub Security Advisories Scraper - GHSA + CVE advisories with patched versions
• 📦 OSV Vulnerabilities Scraper - Open source vulnerabilities across 30+ ecosystems
• 🔬 CIRCL CVE Scraper - CIRCL Luxembourg CVE catalogue with CWE and CAPEC

💡 Pro Tip: browse the complete ParseForge collection for more security and reference-data scrapers.

---

🆘 Need Help? Open our contact form to request a new scraper, propose a custom data project, or report an issue.

---

⚠️ Disclaimer: this Actor is an independent tool and is not affiliated with, endorsed by, or sponsored by CISA, the U.S. Department of Homeland Security, or any other government agency. All trademarks mentioned are the property of their respective owners. Only publicly available U.S. government vulnerability data is collected.