CISA KEV Catalog

Search and filter the official CISA Known Exploited Vulnerabilities (KEV) catalog -- the authoritative U.S. government list of vulnerabilities actively exploited in the wild. This Apify actor downloads the full KEV JSON feed published by the Cybersecurity and Infrastructure Security Agency, applies your filters (keyword, vendor, product, date range, ransomware association), and returns structured results sorted by the date each vulnerability was added. Every result includes auto-generated links to the NIST National Vulnerability Database and the CISA catalog itself. No API key required -- the KEV catalog is free, public government data.

---

Why use CISA KEV Catalog?

The CISA KEV catalog is the foundation of Binding Operational Directive (BOD) 22-01, which mandates that all U.S. federal agencies remediate listed vulnerabilities by specific due dates. Private-sector organizations increasingly use the KEV catalog as a prioritization framework because every entry represents a vulnerability with confirmed active exploitation -- not just a theoretical risk.

The raw CISA feed is a single monolithic JSON file containing over 1,100 vulnerabilities. Parsing, filtering, and monitoring it manually is tedious and error-prone. This actor handles the download, filtering, sorting, and structured output so you can focus on remediation decisions rather than data wrangling.

Running on Apify means you can schedule daily or weekly monitoring runs, trigger Slack or email alerts via webhooks when new KEV entries appear, and pull filtered results into dashboards, ticketing systems, or SIEMs through the Apify REST API. No servers to maintain, no cron jobs to babysit, no infrastructure overhead.

The actor is built for cybersecurity teams, vulnerability management platforms, compliance auditors, penetration testers, and security researchers who need programmable, filterable access to the KEV catalog without building their own ingestion pipeline.

---

Key features

• Full-text keyword search -- matches across CVE ID, vendor, product, vulnerability name, and short description in a single query
• Vendor filtering -- narrow results to a specific vendor or project (e.g., Microsoft, Apache, Google, Cisco, Adobe)
• Product filtering -- isolate a specific product or component (e.g., Exchange Server, Log4j, Chrome, iOS)
• Date range filtering -- find vulnerabilities added to the catalog within a specific time window using YYYY-MM-DD boundaries
• Ransomware campaign filter -- isolate only vulnerabilities with confirmed ransomware exploitation, flagged as "Known" by CISA
• NVD cross-reference links -- every result includes an auto-generated URL to the NVD detail page for the CVE
• CISA catalog link -- every result includes a direct link to the official CISA KEV catalog page
• Sorted by recency -- results are always returned with the most recently added vulnerabilities first
• Configurable result limits -- return anywhere from 1 to 1,000 entries per run
• No API key required -- the CISA KEV feed is free, public, and has no authentication or rate limits

---

How to use

Using the Apify Console

1. Go to the CISA KEV Catalog actor page on Apify Store.
2. Click Try for free to open the actor in Apify Console.
3. Enter your search filters. For example, type Apache in the Search Query field, or enter Microsoft in the Vendor/Project field.
4. Optionally set a date range, enable Ransomware Only, or adjust Max Results.
5. Click Start to run the actor.
6. When the run completes (typically under 10 seconds), switch to the Dataset tab to view results.
7. Download results as JSON, CSV, Excel, or access them programmatically via the Apify API.

Using the API

curl "https://api.apify.com/v2/acts/ryanclinton~cisa-kev-search/runs" \
  -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{
    "query": "Log4j",
    "vendor": "Apache",
    "ransomwareOnly": true,
    "maxResults": 100
  }'

After the run completes, retrieve the dataset items from the response's defaultDatasetId.

---

Input parameters

Name	Type	Required	Default	Description
query	String	No	--	Full-text search keyword. Matches against CVE ID, vendor, product, vulnerability name, and description.
vendor	String	No	--	Filter by vendor or project name (e.g., Microsoft, Apache, Google, Cisco). Case-insensitive partial match.
product	String	No	--	Filter by product name (e.g., Windows, Chrome, Log4j, Exchange Server). Case-insensitive partial match.
dateAddedFrom	String	No	--	Only include vulnerabilities added on or after this date. Format: YYYY-MM-DD.
dateAddedTo	String	No	--	Only include vulnerabilities added on or before this date. Format: YYYY-MM-DD.
ransomwareOnly	Boolean	No	false	When enabled, only returns vulnerabilities confirmed to be exploited in ransomware campaigns.
maxResults	Integer	No	50	Maximum number of results to return. Range: 1--1000.

{
    "query": "remote code execution",
    "vendor": "Microsoft",
    "dateAddedFrom": "2024-01-01",
    "dateAddedTo": "2024-12-31",
    "ransomwareOnly": false,
    "maxResults": 200
}

Tips:

• Combine vendor and product for precision -- for example, vendor Apple and product iOS returns only Apple iOS vulnerabilities, excluding macOS or Safari entries.
• If no filters are provided, the actor returns the most recently added vulnerabilities up to maxResults. This is useful for a quick check on the latest KEV additions.
• Use dateAddedFrom set to the last 7 or 30 days for scheduled monitoring runs that surface only new catalog entries.

---

Output

[
    {
        "cveID": "CVE-2021-44228",
        "vendorProject": "Apache",
        "product": "Log4j",
        "vulnerabilityName": "Apache Log4j2 Remote Code Execution Vulnerability",
        "dateAdded": "2021-12-10",
        "shortDescription": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.",
        "requiredAction": "For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks.",
        "dueDate": "2021-12-24",
        "knownRansomwareCampaignUse": "Known",
        "notes": "",
        "nvdUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
        "cisaUrl": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
    },
    {
        "cveID": "CVE-2023-23397",
        "vendorProject": "Microsoft",
        "product": "Outlook",
        "vulnerabilityName": "Microsoft Outlook Privilege Escalation Vulnerability",
        "dateAdded": "2023-03-14",
        "shortDescription": "Microsoft Outlook contains a privilege escalation vulnerability that allows for a NTLM relay attack against another service to authenticate as the user.",
        "requiredAction": "Apply updates per vendor instructions.",
        "dueDate": "2023-04-04",
        "knownRansomwareCampaignUse": "Unknown",
        "notes": "",
        "nvdUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-23397",
        "cisaUrl": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
    }
]

Field	Type	Description
cveID	String	The CVE identifier (e.g., CVE-2021-44228).
vendorProject	String	The vendor or open-source project responsible for the affected software.
product	String	The specific product or component affected.
vulnerabilityName	String	A human-readable name for the vulnerability.
dateAdded	String	The date CISA added the vulnerability to the KEV catalog (YYYY-MM-DD).
shortDescription	String	A brief technical description of the vulnerability.
requiredAction	String	The remediation action mandated by CISA under BOD 22-01.
dueDate	String	The deadline by which federal agencies must remediate (YYYY-MM-DD).
knownRansomwareCampaignUse	String	Either "Known" or "Unknown" -- indicates confirmed ransomware exploitation.
notes	String	Additional notes from CISA, if any.
nvdUrl	String	Direct link to the NVD detail page for this CVE.
cisaUrl	String	Link to the official CISA KEV catalog.

---

Use cases

• Vulnerability prioritization -- feed KEV data into your patch management workflow to prioritize remediation of vulnerabilities with confirmed active exploitation over theoretical risks
• BOD 22-01 compliance -- federal agencies can track which KEV entries still need remediation before their due dates and generate compliance status reports
• Ransomware risk assessment -- filter for ransomware-associated vulnerabilities to build a focused remediation list for executive briefings and board-level risk reporting
• Vendor-specific auditing -- filter by vendor (e.g., Microsoft, Cisco, Adobe) to assess your exposure within a specific software ecosystem
• Security monitoring -- schedule daily runs with a recent dateAddedFrom to detect newly added KEV entries and trigger Slack or email alerts via webhooks
• Threat intelligence enrichment -- cross-reference KEV entries with NVD CVSS scores, EPSS probabilities, and threat feeds to build comprehensive vulnerability intelligence
• Penetration testing preparation -- identify which known-exploited vulnerabilities affect your target's technology stack before an engagement
• Supply chain risk analysis -- search for vulnerabilities by product (e.g., Log4j, OpenSSL, Spring Framework) to assess open-source dependency risks across your software supply chain
• Insurance underwriting -- cybersecurity insurers can evaluate an organization's exposure to known-exploited vulnerabilities as part of risk scoring

---

API & integration

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")

run_input = {
    "vendor": "Microsoft",
    "product": "Exchange Server",
    "ransomwareOnly": True,
    "maxResults": 100,
}

run = client.actor("ryanclinton/cisa-kev-search").call(run_input=run_input)

dataset_items = client.dataset(run["defaultDatasetId"]).list_items().items
for item in dataset_items:
    print(f"{item['cveID']} -- {item['vulnerabilityName']} (due: {item['dueDate']})")

JavaScript

import { ApifyClient } from "apify-client";

const client = new ApifyClient({ token: "YOUR_API_TOKEN" });

const run = await client.actor("ryanclinton/cisa-kev-search").call({
    query: "remote code execution",
    dateAddedFrom: "2024-01-01",
    maxResults: 200,
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
    console.log(`${item.cveID} -- ${item.vulnerabilityName} (${item.dateAdded})`);
});

cURL

# Start a run
curl "https://api.apify.com/v2/acts/ryanclinton~cisa-kev-search/runs" \
  -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{
    "vendor": "Google",
    "product": "Chrome",
    "maxResults": 50
  }'

# Fetch dataset items (replace DATASET_ID from the run response)
curl "https://api.apify.com/v2/datasets/DATASET_ID/items?format=json" \
  -H "Authorization: Bearer YOUR_API_TOKEN"

This actor integrates with the broader Apify ecosystem. Connect it to Zapier, Make (Integromat), Google Sheets, Slack, or GitHub Actions using Apify webhooks and integrations to build automated vulnerability monitoring pipelines.

---

How it works

1. Download the KEV catalog -- the actor fetches the full CISA KEV JSON feed from https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json. This is a single HTTP request that returns the complete catalog.
2. Parse the catalog -- the JSON response is parsed into a structured array of vulnerability entries. The catalog includes metadata such as the version number, release date, and total vulnerability count.
3. Apply keyword filter -- if a query is provided, it performs a case-insensitive substring match across five fields: CVE ID, vendor, product, vulnerability name, and short description.
4. Apply vendor and product filters -- if vendor or product is provided, each performs a case-insensitive substring match on the corresponding field. Filters stack -- all active filters must match for a vulnerability to be included.
5. Apply date range filter -- if dateAddedFrom or dateAddedTo is set, vulnerabilities outside the specified range are excluded using string comparison on the YYYY-MM-DD date format.
6. Apply ransomware filter -- if ransomwareOnly is enabled, only entries where knownRansomwareCampaignUse equals "Known" are retained.
7. Sort and limit -- matching results are sorted by dateAdded in descending order (most recent first), then truncated to maxResults (capped at 1,000). Each entry is enriched with nvdUrl and cisaUrl before being pushed to the Apify dataset.

┌─────────────────────────┐
│  CISA KEV JSON Feed     │
│  (full catalog download)│
└───────────┬─────────────┘
            │
            v
┌─────────────────────────┐
│  Parse JSON catalog     │
│  (1,100+ entries)       │
└───────────┬─────────────┘
            │
            v
┌─────────────────────────┐
│  Apply keyword filter   │
│  (query across 5 fields)│
└───────────┬─────────────┘
            │
            v
┌─────────────────────────┐
│  Apply vendor filter    │
└───────────┬─────────────┘
            │
            v
┌─────────────────────────┐
│  Apply product filter   │
└───────────┬─────────────┘
            │
            v
┌─────────────────────────┐
│  Apply date range filter│
└───────────┬─────────────┘
            │
            v
┌─────────────────────────┐
│  Apply ransomware filter│
└───────────┬─────────────┘
            │
            v
┌─────────────────────────┐
│  Sort by dateAdded DESC │
│  Limit to maxResults    │
│  Enrich with NVD + CISA │
│  URLs                   │
└───────────┬─────────────┘
            │
            v
┌─────────────────────────┐
│  Push to Apify dataset  │
│  (JSON / CSV / Excel)   │
└─────────────────────────┘

---

Performance & cost

Metric	Details
Run time	Typically 5--10 seconds, including catalog download and filtering.
Memory usage	~128--256 MB. The full KEV JSON is approximately 2--3 MB and is processed entirely in memory.
Compute cost	Approximately $0.001 or less per run at standard Apify pricing. Hundreds of runs fit within the free tier.
Network requests	Exactly 1 HTTP request per run to download the CISA KEV feed.
API key required	None. The CISA KEV catalog is free public government data.
Rate limits	No rate limits on the CISA feed. You can run the actor as frequently as needed.

---

Limitations

• Catalog size cap -- the actor returns a maximum of 1,000 results per run. If the full catalog exceeds 1,000 entries and no filters are applied, the oldest entries will be truncated.
• No CVSS scores -- the CISA KEV feed does not include CVSS severity scores. Use the nvdUrl in the output to look up CVSS scores on the NVD, or pair this actor with the NVD CVE Vulnerability Search actor.
• Text-based date filtering -- date comparisons use YYYY-MM-DD string comparison. All dates in the KEV catalog follow this format, but custom date formats in input (e.g., MM/DD/YYYY) will not work.
• Substring matching only -- the keyword, vendor, and product filters use case-insensitive substring matching, not regex or fuzzy matching. A search for "Chrome" will also match "Chromium" if it appears in any searchable field.
• Snapshot-in-time data -- each run downloads the current state of the catalog. The actor does not track historical changes or diffs between runs.
• No CPE or CWE data -- the KEV feed does not include Common Platform Enumeration (CPE) strings or Common Weakness Enumeration (CWE) identifiers. Cross-reference with NVD for this data.
• CISA feed availability -- the actor depends on the CISA KEV JSON feed being accessible. If CISA's servers are temporarily unavailable, the run will fail with an HTTP error.

---

Responsible use

• Respect the data source -- the CISA KEV catalog is a public service provided by the U.S. government. Avoid excessive polling frequencies that could strain CISA's infrastructure. Daily or weekly scheduled runs are more than sufficient for monitoring.
• Use for defensive purposes -- this data is intended for vulnerability management, patch prioritization, and compliance reporting. Do not use KEV data to target unpatched systems for unauthorized exploitation.
• Verify before acting -- always cross-reference KEV entries with vendor advisories, NVD details, and your own asset inventory before making remediation decisions. The KEV catalog provides prioritization guidance, not a complete vulnerability assessment.
• Handle data responsibly -- while the KEV catalog is public, your filtered outputs may reveal details about your organization's technology stack and security posture. Protect exported datasets accordingly.
• Comply with applicable regulations -- if you are a federal agency subject to BOD 22-01, ensure your use of this actor aligns with your agency's vulnerability management policies and reporting requirements.

---

FAQ

Q: Is an API key required to use this actor? A: No. The CISA KEV catalog is a free public dataset published by the U.S. Cybersecurity and Infrastructure Security Agency. No authentication, API key, or registration is needed.

Q: How often is the CISA KEV catalog updated? A: CISA updates the KEV catalog on a rolling basis, typically adding new vulnerabilities several times per week. Each run of this actor downloads the latest version of the catalog.

Q: Can I download the entire KEV catalog? A: Yes. Run the actor with no filters and set maxResults to 1000. The actor returns all entries sorted by dateAdded descending. If the catalog exceeds 1,000 entries, the oldest entries are truncated.

Q: What does "Known" vs "Unknown" ransomware status mean? A: "Known" means CISA has confirmed the vulnerability has been exploited in at least one ransomware campaign. "Unknown" means there is no confirmed ransomware association -- but the vulnerability is still actively exploited in the wild through other attack vectors.

Q: What is BOD 22-01? A: Binding Operational Directive 22-01 is a CISA directive requiring all U.S. federal civilian executive branch agencies to remediate vulnerabilities listed in the KEV catalog by their specified due dates. Many private organizations voluntarily follow the same framework.

Q: Can I combine multiple filters? A: Yes. All active filters are applied in sequence -- a vulnerability must match every active filter to appear in the results. For example, setting vendor to "Microsoft", product to "Windows", and ransomwareOnly to true returns only Microsoft Windows vulnerabilities with confirmed ransomware exploitation.

Q: How do I monitor for newly added KEV entries? A: Create an Apify schedule that runs the actor daily with dateAddedFrom set to yesterday's date (or the last 7 days). Attach a webhook to the schedule to send notifications to Slack, email, or your SIEM when new results appear.

Q: Does this actor provide CVSS scores? A: No. The CISA KEV feed does not include CVSS scores. Each result includes an nvdUrl field that links directly to the NVD detail page where CVSS scores are available. You can also use the NVD CVE Vulnerability Search actor to retrieve CVSS data programmatically.

Q: Can I search by CVE ID directly? A: Yes. Enter the CVE ID (e.g., CVE-2021-44228) in the query field. The full-text search matches against the cveID field along with vendor, product, vulnerability name, and description.

Q: What happens if no filters are provided? A: The actor returns the most recently added vulnerabilities up to the maxResults limit, sorted by dateAdded descending. A warning is logged but the run completes normally.

Q: Is the output suitable for importing into vulnerability scanners or SIEMs? A: Yes. The output is structured JSON with consistent field names. You can download it as JSON or CSV from the Apify dataset and import it into tools like Splunk, Elastic SIEM, Qualys, Tenable, Jira, or ServiceNow.

Q: How does this differ from the NVD CVE Vulnerability Search actor? A: This actor searches the CISA KEV catalog, which is a curated list of vulnerabilities with confirmed active exploitation. The NVD CVE Vulnerability Search actor queries the broader National Vulnerability Database, which contains over 200,000 CVEs regardless of exploitation status. The KEV catalog is a subset of NVD focused on real-world risk.

---

Related actors

Actor	Description	Link
NVD CVE Vulnerability Search	Search the NIST National Vulnerability Database for CVE details, CVSS scores, and affected configurations. Pair with KEV data for full technical context.	NVD CVE Vulnerability Search
Censys Internet Host Search	Search Censys for internet-connected hosts and services. Identify exposed assets that may be affected by KEV vulnerabilities.	Censys Internet Host Search
DNS Record Lookup	Look up DNS records for any domain. Useful for mapping infrastructure during vulnerability assessments.	DNS Record Lookup
SSL Certificate Search	Search crt.sh for SSL/TLS certificates issued for a domain. Discover subdomains and certificate transparency logs.	SSL Certificate Search
OFAC Sanctions Search	Search the U.S. Treasury OFAC sanctions list. Useful alongside KEV data for comprehensive government compliance workflows.	OFAC Sanctions Search
OpenSanctions Search	Search the global OpenSanctions database of sanctioned entities. Complements cybersecurity compliance with broader due-diligence screening.	OpenSanctions Search