For nearly two decades, cybersecurity strategy has centered on a simple equation: identify the vulnerabilities that are being actively exploited and address them first. It was logical, measurable, and, until recently, effective. But the premise collapses in a world where attackers can weaponize vulnerabilities in minutes, while defenders wait days, weeks, or months for official confirmation.
The scale of the transition becomes clear when viewed through the lens of modern software development. Open source now represents roughly 70% of the average application codebase, and 97% of all applications include open source components, with more than 900 components per application. Complexity is no longer confined to code that companies write; it extends to thousands of dependencies written and maintained by global communities. Innovation has never been faster, and neither has compromise.
The U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog emerged as a turning point. Introduced in 2021, KEV gave security teams a way to cut through noise by spotlighting vulnerabilities confirmed to be exploited in the wild. The intended effect was prioritization clarity: focus on what’s dangerous now, not what might become dangerous later.
However, new research from Miggo Security suggests that the strategy no longer reflects real-world risk. According to the company’s latest analysis, a staggering 88% of open source vulnerabilities with documented exploits are not listed in KEV.
The Discrepancy Isn’t Small; It’s Systemic
To quantify the disconnect, Miggo analyzed more than 24,000 vulnerabilities from the GitHub Security Advisory (GHSA) database, focusing exclusively on open-source ecosystems. The research identified 572 vulnerabilities that included at least one GitHub-hosted exploit repository.
And the findings were hard to ignore:
- Only 69 of the 572 exploits appeared in KEV
- 407 of the exploits were weaponized or fully functional
- 165 were proof-of-concept exploits
Yet KEV reflected just 68 of the 407 functional exploits, and only 1 of the 165 proof-of-concept exploits.
In other words, nearly nine out of ten vulnerabilities with working exploit code are not represented at all in KEV. The gap has already arrived.
Miggo notes that KEV’s constraint is not mismanagement; it is design. Because KEV requires confirmation of exploitation before inclusion, it will always be a reactive approach. However, in the current threat landscape, confirmation often lags behind exploitation, and attackers do not wait for validation before taking action.
AI Is Compressing the Timeline And Redefining the Risk Model
A core theme of Miggo’s research is the evolving asymmetry between offense and defense. Modern exploitation is now augmented by AI, which accelerates both exploit development and exploit replication. The time between vulnerability disclosure and real-world weaponization has effectively collapsed.
That collapse is compounded by what Miggo calls the Four Vs:
- Volume: thousands of new CVEs every year
- Variants: exploits adapting as fast as software evolves
- Velocity: weaponization within minutes of disclosure
- Visibility: distributed architectures and AI-driven components that obscure attack paths
No vulnerability list can track, validate, and publish changes at the speed AI exploitation enables.
The Defensive Model Shifts From Knowing to Interrupting
Miggo offers an alternative to the list-based, patch-dependent model: proactive runtime defense. Rather than relying on external validation to gauge risk, runtime security evaluates applications as they are executing, identifies whether a vulnerability is exploitable in the current environment, and then deploys AI-generated virtual patches to block that path immediately.
Unlike KEV-driven workflows, runtime defense doesn’t require a CVE to be published, doesn’t depend on KEV inclusion, doesn’t wait for exploit confirmation, and doesn’t require a patch window before blocking attacks.
Miggo reports that this shifts the mean time to mitigation from weeks or months to seconds, giving engineering teams time to patch safely instead of reactively.
The white paper is clear: this is not simply an enhancement to existing security; it is a response to a world where vulnerability management alone cannot keep up with the automation of exploitation.
Why the Industry’s Next Breakthrough Will Be at Runtime
KEV remains an important signal, but it cannot be the foundation of modern risk management. A list that reflects confirmed exploitation will always lag behind an attacker who can weaponize code automatically, using the same AI models defenders use to analyze it. Software has become dynamic, and defense must become dynamic with it.
Miggo’s research reframes the cybersecurity hierarchy. In the AI era, the deciding factor is no longer who knows more, but who can act faster. Action can only occur where the software is actually running.
