Analysis of one billion CISA KEV remediation records exposes limits of human-scale security

A recent analysis of over one billion remediation records from the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog reveals the limitations of human-scale security efforts. The study, which examined records from CISA's KEV catalog, found that the majority of critical vulnerabilities are being exploited by attackers before they can be patched by defenders. This is particularly concerning for vulnerabilities with assigned CVE numbers, which are often publicly disclosed and can be quickly exploited by malicious actors. The analysis, conducted by Qualys, highlights the need for automated security solutions to supplement human efforts, as the sheer volume of vulnerabilities and exploits has become too great for human teams to keep up with¹. This matters to security practitioners because it underscores the importance of implementing scalable, automated security measures to stay ahead of increasingly sophisticated threats.