Cybersecurity has reached a paradoxical moment. Organizations are spending more than ever on vulnerability management, patching, and threat intelligence, yet exploitation continues to accelerate. The irony is baked into the modern software economy: the more businesses depend on open source to innovate, the more they depend on code they don’t control. With 97% of applications now containing open source components and roughly 70% of codebases built on them, the attack surface is no longer something companies design; it’s something they inherit.

The global security community has attempted to keep pace through increasingly curated vulnerability lists. Among them, the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog has become the most trusted reference. Launched in 2021 to highlight vulnerabilities confirmed to be exploited in the wild, KEV quickly became a top indicator of what deserves immediate attention.

But new research from Miggo Security challenges a foundational assumption: that KEV captures the majority of threats defenders should worry about. According to their analysis, relying solely on KEV means ignoring most of the vulnerabilities for which attackers already have working exploits.

Miggo’s conclusion is blunt: 88% of open source CVEs with real exploits do not appear in KEV.

Attackers Are Using What’s Already Available; Not Waiting for Verification

Miggo’s study analyzed more than 24,000 open-source vulnerabilities from the GitHub Security Advisory (GHSA) database. From that pool, the company confirmed 572 vulnerabilities containing publicly available exploit code on GitHub. The breakdown included 407 weaponized or fully functional exploits and 165 proof-of-concept exploits.

Only 69 of those 572 appeared in the KEV list.

Even among the most dangerous category of weaponized or fully functional exploits, just 68 of 407 were reflected in KEV. The blind spot is even more dramatic with proof-of-concept (PoC) exploits: 164 out of 165 were missing from KEV.

This disproportionality forms the KEV Gap: the widening mismatch between what KEV reports and what attackers can already use. The gap isn’t caused by negligence, but rather by speed. KEV requires confirmation of exploitation to list a vulnerability. However, attackers don’t wait for proof; they weaponize code as soon as it becomes publicly available.

And now, they have help. Miggo notes that modern exploitation is increasingly AI-assisted, with the time from disclosure to working exploit collapsing to minutes. The same capabilities that enable defenders to validate exploitability are being used more aggressively and more easily by threat actors.

When Patching Becomes a Race Against Automation

The consequences aren’t theoretical. The security industry’s traditional workflow assumes a rational timeline: vulnerabilities are disclosed, security teams triage them, patches are developed, and systems are updated.

But exploitation no longer respects that sequence. Patches take time; exploit code does not.

Miggo frames this through the Four Vs of modern exploitation:

• Volume: tens of thousands of new CVEs annually
• Variants: exploit mutations that evolve like software
• Velocity: weaponization within minutes of disclosure
• Visibility: distributed AI-driven applications that defy traditional monitoring

A vulnerability that becomes weaponized before a patch exists is becoming the norm. This is why organizations using lists as their primary threat-prioritization mechanism may be unknowingly operating in a post-patch world. Even if KEV were perfectly current, which no list can be, the gap between the time of disclosure and the time of defense would still remain.

If Lists Can’t Scale, Defense Must Move Closer to the Runtime

Miggo proposes that the solution is not a faster list, but a different security category altogether: proactive runtime defense. Rather than treating vulnerability management as an act of waiting for external validation, runtime systems evaluate code as it executes, determine whether a vulnerability is reachable and exploitable inside the live application, and automatically apply AI-generated virtual patching to neutralize the attack path immediately.

This reduces the mean time to mitigation from weeks or months to seconds, according to the white paper, offering organizations something they rarely have: time. In this model, developers still patch, but no longer under crisis conditions where exploitation is already in progress.

Unlike list-based and signature-driven approaches, runtime security does not depend on whether a CVE has been published, logged in KEV, or confirmed active in the wild. The defense is triggered by behavior, not bureaucracy.
 

The Security Conversation Has Shifted, And the Industry Must Catch Up

Miggo’s report doesn’t position KEV as obsolete; it positions it as incomplete. In an era where attackers weaponize vulnerabilities faster than lists can verify them, security programs built solely on lists are anchored in delay.

The most significant theme emerging from the white paper is realism. Open-source software is here to stay; exploitation velocity is not slowing, and AI is amplifying both sides of the equation. No list can operate at machine speed. But runtime security can.

As Miggo emphasizes, software can no longer rely on published knowledge to decide what’s dangerous. It needs to observe itself.