CISA Known Exploited Vulnerabilities (KEV) Analysis

A comprehensive Jupyter Notebook for analyzing the CISA Known Exploited Vulnerabilities (KEV) catalog. This tool provides interactive visualizations, statistical analysis, and actionable security recommendations based on real-world exploited vulnerabilities.

📋 Table of Contents

• Quick Start ⚡
• 📄 Whitepaper - Strategic Vulnerability Intelligence whitepaper
• 🎬 Presentation - KEV Analysis & Approach slides
• Overview
• Features
• Installation
• Usage
• Publishing to GitHub Pages
• Configuration
• Analysis Components
• Export Formats
• Data Source
• Requirements
• Project Structure
• Contributing
• Security
• Changelog
• License

🔍 Overview

The CISA Known Exploited Vulnerabilities (KEV) catalog tracks CVEs that have been actively exploited in the wild. This analysis notebook helps security teams:

• Identify high-risk vendors and products requiring immediate patching
• Understand ransomware exploitation patterns across different technologies
• Prioritize remediation efforts using statistical analysis and risk scoring
• Track vulnerability trends over time with year-over-year comparisons
• Export actionable data for reporting and integration with other tools

✨ Features

🎨 Interactive Visualizations

• Interactive Plotly charts with hover tooltips, zoom, and filtering
• Timeline analysis showing vulnerability trends and cumulative growth
• Ransomware heatmaps identifying high-risk vendor/product combinations
• CWE category analysis with color-coded severity indicators
• Bubble charts visualizing vendor risk profiles

📊 Advanced Analytics

• Statistical filtering using mean + standard deviation thresholds
• Pareto analysis (80/20 rule) for identifying critical vendors/products
• Risk scoring algorithm combining vendor impact, ransomware use, and CWE prevalence
• Year-over-year trend analysis with growth rates and monthly distributions
• Data quality validation with automated checks for missing values and duplicates

⚡ Performance Optimization

• 24-hour data caching to minimize API calls and improve performance
• Configurable parameters for easy customization without code changes
• Efficient data processing with pandas vectorization

📤 Multiple Export Formats

• Excel workbooks with multiple sheets (summary, vendors, products, CWE, risks)
• JSON export for machine-readable data and API integration
• CSV exports for individual analysis components

🔧 Flexible Filtering

• Filter by date range to analyze specific time periods
• Filter by vendor to focus on specific organizations
• Filter by ransomware status to prioritize known threats

🚀 Installation

Prerequisites

• Python 3.12 or higher
• pip (Python package manager)
• Git

Setup Instructions

1. Clone the repository

   git clone https://github.com/yourusername/known_exploited_vulnerabilities.git
   cd known_exploited_vulnerabilities

2. Create a virtual environment (recommended)

   python -m venv .venv
   source .venv/bin/activate  # On Windows: .venv\Scripts\activate

3. Install required packages

   pip install -r requirements.txt

   Or install manually:

   pip install pandas matplotlib plotly openpyxl nbformat jupyter

4. Launch Jupyter Notebook

   jupyter notebook known_exploited_vulnerabilities.ipynb

📖 Usage

Quick Start

1. Open known_exploited_vulnerabilities.ipynb in Jupyter
2. Run all cells: Cell > Run All
3. Review the interactive visualizations and analysis
4. Check the exported files in the project directory

Step-by-Step Execution

1. Configuration (Cell 2): Set analysis parameters

   TOP_N_VENDORS = 20          # Number of top vendors to analyze
   RISK_THRESHOLD = 0.25       # 25% ransomware threshold
   CACHE_AGE_HOURS = 24        # Data cache duration

2. Data Loading (Cell 3): Automatically fetches and caches CISA KEV data

3. Data Quality Checks (Cell 4): Validates data integrity

4. Data Processing (Cell 5): Aggregates and filters vulnerability data

5. Interactive Filtering (Cell 7): Customize your analysis

   filter_start_date = '2024-01-01'  # Optional date range
   filter_vendors = ['Microsoft', 'Apple']  # Optional vendor filter
   filter_ransomware_only = True  # Show only ransomware CVEs

6. Visualizations (Cells 8-15): Interactive charts and analysis

7. Recommendations (Cells 16-18): Actionable security insights

8. Export (Cell 19): Generate Excel, JSON, and CSV files

Cleaning Up Generated Files

The notebook generates various analysis files (CSV, JSON, XLSX) during execution. To clean these up:

# Clean up all generated files
./scripts/clean.sh

This removes:

• Timestamped analysis files (analysis_summary_*.csv, vendor_analysis_enhanced_*.csv)
• Export files (kev_analysis_*.json, kev_analysis_*.xlsx)
• Cached data (cisa_kev_cache.csv)
• Intermediate analysis CSVs

Note: The cleanup script preserves:

• Source code (.py, .ipynb)
• Documentation (.md)
• Configuration files
• index.html (GitHub Pages output)

🌐 Publishing to GitHub Pages

You can publish your executed notebook with all visualizations as a static website on GitHub Pages.

Method 1: Automated with GitHub Actions (Recommended)

The repository includes a GitHub Actions workflow that automatically builds and deploys your notebook on every push.

Setup:

1. Push your repository to GitHub
2. Go to Settings → Pages
3. Set source to gh-pages branch (will be created automatically)
4. Wait for the workflow to complete
5. Access your site at: https://yourusername.github.io/repository-name/

The workflow (.github/workflows/publish-notebook.yml) automatically:

• Executes the notebook
• Converts to HTML with all interactive Plotly charts
• Deploys to GitHub Pages

Method 2: Manual Build and Deploy

Build locally:

# Execute and convert notebook to HTML
# (automatically cleans up old generated files first)
./scripts/build_pages.sh

# Optional: Clean up intermediate files after build
CLEANUP_AFTER_BUILD=true ./scripts/build_pages.sh

You can also manually clean up generated files at any time:

./scripts/clean.sh

Or use nbconvert directly:

pip install nbconvert
jupyter nbconvert --to html --execute known_exploited_vulnerabilities.ipynb --output index.html

Deploy to GitHub Pages:

1. Commit index.html to your repository
2. Go to repository Settings → Pages
3. Set source to main branch / root
4. Your site will be live in a few minutes

Method 3: View with nbviewer (No Setup Required)

Share your notebook via nbviewer (works immediately, no setup):

https://nbviewer.org/github/yourusername/repository-name/blob/main/known_exploited_vulnerabilities.ipynb

Or add this badge to your README:

[![nbviewer](https://raw.githubusercontent.com/jupyter/design/master/logos/Badges/nbviewer_badge.svg)](https://nbviewer.org/github/yourusername/repository-name/blob/main/known_exploited_vulnerabilities.ipynb)

Features of Published Site

✅ All interactive Plotly charts work in the browser ✅ Fully responsive design ✅ No code cells displayed (clean presentation) ✅ Fast loading with optimized HTML ✅ Shareable URL for stakeholders

Customizing the Published Page

Edit the notebook markdown cells to customize:

• Title and description
• Analysis narrative
• Insights and recommendations

The GitHub Actions workflow will automatically rebuild on push.

⚙️ Configuration

All configuration is centralized in Cell 2. Key parameters:

Parameter	Default	Description
CHART_STYLE	'seaborn-v0_8'	Matplotlib style theme
TOP_N_VENDORS	20	Number of top vendors to display
TOP_N_PRODUCTS	20	Number of top products to display
TOP_N_CWES	20	Number of top CWE categories to display
RISK_THRESHOLD	0.25	Ransomware percentage threshold (25%)
CUMULATIVE_THRESHOLD	0.80	Pareto analysis threshold (80%)
CACHE_FILE	'cisa_kev_cache.csv'	Local cache filename
CACHE_AGE_HOURS	24	Cache refresh interval (hours)
EXPORT_EXCEL	True	Enable Excel export
EXPORT_JSON	True	Enable JSON export

📊 Analysis Components

1. Year-over-Year Trends

• Total CVEs by year
• Growth rate analysis
• Monthly distribution patterns
• Ransomware trends over time

2. Vendor Risk Analysis

• Top vendors by vulnerability count
• Ransomware exploitation percentages
• Bubble chart visualization of risk profiles
• Statistical filtering (80/20 Pareto analysis)

3. Product Vulnerability Mapping

• Most vulnerable products
• Vendor-product heatmaps
• Critical product identification

4. CWE Category Insights

• Common weakness enumeration analysis
• Color-coded severity indicators
• Description mapping for readability

5. Ransomware Intelligence

• Known ransomware campaign CVEs
• Vendor/product ransomware exposure
• High-risk combinations

6. Risk Scoring

• Custom algorithm: Risk = Vendor Impact × Ransomware Multiplier × CWE Prevalence
• Top 10 most critical vulnerabilities
• Priority recommendations

7. Remediation Planning

• Overdue patches identification
• Upcoming due dates (30-day window)
• Urgency metrics

📁 Export Formats

Excel Workbook (kev_analysis_TIMESTAMP.xlsx)

7 Sheets:

1. Summary - Executive overview
2. Vendors - Detailed vendor analysis with ransomware metrics
3. Products - Product vulnerability counts
4. CWE_Categories - Weakness type analysis
5. Ransomware - Ransomware-specific data
6. Risk_Scores - Top 50 highest-risk CVEs
7. YoY_Trends - Year-over-year statistics

JSON Export (kev_analysis_TIMESTAMP.json)

Structured data including:

• Analysis metadata
• Top vendors/products/CWEs
• Risk scores
• Year-over-year trends
• Complete dataset

CSV Exports

• analysis_summary_TIMESTAMP.csv - Executive summary
• vendor_analysis_enhanced_TIMESTAMP.csv - Enhanced vendor data
• due_date_analysis.csv - Timeline statistics
• notes_summary.csv - Vulnerability notes

🌐 Data Source

Official CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

• Update Frequency: Updated regularly by CISA as new exploited vulnerabilities are discovered
• Data Format: CSV
• Cache Strategy: Local 24-hour cache to minimize API calls
• Refresh: Delete cisa_kev_cache.csv or wait 24 hours for automatic refresh

📦 Requirements

Python Packages

pandas>=3.0.0
matplotlib>=3.10.0
plotly>=5.0.0
openpyxl>=3.1.0
nbformat>=4.2.0
jupyter>=1.0.0

System Requirements

• Memory: 2GB+ recommended for large datasets
• Disk Space: 50MB+ for cache and exports
• Internet: Required for initial CISA data fetch

📂 Project Structure

known_exploited_vulnerabilities/
├── README.md                           # This file
├── requirements.txt                    # Python dependencies
├── known_exploited_vulnerabilities.ipynb  # Main analysis notebook
├── .venv/                             # Virtual environment (optional)
├── cisa_kev_cache.csv                 # Cached CISA data (auto-generated)
├── kev_analysis_TIMESTAMP.xlsx        # Excel export (auto-generated)
├── kev_analysis_TIMESTAMP.json        # JSON export (auto-generated)
├── analysis_summary_TIMESTAMP.csv     # Summary CSV (auto-generated)
├── vendor_analysis_enhanced_TIMESTAMP.csv  # Vendor CSV (auto-generated)
└── *.csv                              # Other exported CSV files

🛠️ Scripts Overview

Build & Deployment Scripts

build_pages.sh - Main build automation script

• Converts Jupyter notebook to web presentation for GitHub Pages
• Automatically cleans old generated files before building
• 4-step process: clean → prepare → execute → convert → post-process
• Usage: ./scripts/build_pages.sh
• With cleanup: CLEANUP_AFTER_BUILD=true ./scripts/build_pages.sh

test_build.sh - Build validation script

• Tests that notebook can be executed successfully
• Validates HTML output generation
• Useful for pre-push validation
• Usage: ./scripts/test_build.sh

clean.sh - File cleanup utility

• Removes all timestamped analysis files (CSV, JSON, XLSX)
• Clears data caches
• Preserves source code and documentation
• Useful for reducing repository size
• Usage: ./scripts/clean.sh

Python Utility Scripts

notebook_utils.py - Consolidated notebook preparation utilities

• Adds Reveal.js metadata to cells for slide generation
• Converts title cells to markdown format
• Restores title displays for extraction
• Can be used as module or CLI tool
• Usage: python src/notebook_utils.py or from src.notebook_utils import add_slide_metadata

fix_slides_html.py - HTML post-processing for presentations

• Injects custom CSS for dark theme and styling
• Extracts slide titles and positions them outside scrollable content
• Fixes scrolling behavior for long slides
• Automatically run by build_pages.sh
• Usage: python scripts/fix_slides_html.py index.slides.html

Configuration & Styling

custom_slides.css - Presentation stylesheet

• Dark theme with neon green accents
• Scrollable content areas for long slides
• Properly positioned slide titles
• Injected by fix_slides_html.py during build

Documentation

DEVELOPMENT.md - Developer guide with detailed build process explanation

For more details on extending or customizing, see docs/DEVELOPMENT.md.

🎯 Use Cases

Security Operations Centers (SOCs)

• Daily/weekly vulnerability trend monitoring
• Prioritization of patching activities
• Threat intelligence integration

Vulnerability Management Teams

• Risk-based patch prioritization
• Vendor risk assessment
• Remediation timeline planning

Executive Reporting

• Security posture dashboards
• Trend analysis for board meetings
• KPI tracking (time-to-patch, exposure metrics)

Compliance & Audit

• CISA BOD 22-01 compliance tracking
• Evidence of vulnerability management process
• Historical vulnerability data for audits

🤝 Contributing

Contributions are welcome! Here's how you can help:

1. Fork the repository
2. Create a feature branch

   git checkout -b feature/your-feature-name

3. Make your changes
4. Test thoroughly
5. Commit with descriptive messages

   git commit -m "Add: Description of your feature"

6. Push to your fork

   git push origin feature/your-feature-name

7. Open a Pull Request

Development Guidelines

• Follow PEP 8 style guidelines
• Add comments for complex logic
• Update documentation for new features
• Test with the latest CISA KEV data
• Include examples in docstrings

📝 License

This project is licensed under the MIT License - see below for details:

MIT License

Copyright (c) 2026

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

🙏 Acknowledgments

• CISA for maintaining the Known Exploited Vulnerabilities catalog
• MITRE for the CWE (Common Weakness Enumeration) classification
• The open-source community for the excellent Python data science ecosystem

📞 Support

For questions, issues, or feature requests:

1. GitHub Issues: Open an issue on the repository
2. Documentation: Review this README and notebook comments
3. CISA KEV Updates: Check https://www.cisa.gov/known-exploited-vulnerabilities-catalog

� Security

See docs/SECURITY.md for our security policy and how to report vulnerabilities.

🔄 Version History

See docs/CHANGELOG.md for detailed version history.

Current Version: v1.0.0 (January 2026)

• Interactive Plotly visualizations
• Year-over-year trend analysis
• Excel/JSON/CSV export capabilities
• Data caching and quality checks
• Configurable parameters
• Comprehensive risk scoring

🚧 Roadmap

Future enhancements under consideration:

• CVSS score integration
• Automated email reports
• Dashboard deployment (Streamlit/Dash)
• Historical trend database
• Custom filtering UI
• Integration with vulnerability scanners
• Multi-source data correlation (NVD, EPSS)

---

Made with ❤️ for the cybersecurity community

Last Updated: January 25, 2026