Technology leaders often describe software supply chains as “interconnected.” A more accurate word today might be “interdependent.” Businesses now run on code that depends on code that depends on code, an exponential cascade of open source libraries powering nearly every digital product. The productivity benefits are undeniable, but so is the exposure: most organizations don’t know which vulnerabilities inside those libraries are actively being exploited until the damage is already done.
The numbers tell a blunt story. The 2025 Open Source Security and Risk Analysis report reveals that 97% of all applications now incorporate open source components, comprising approximately 70% of the average application codebase, with more than 900 open source components per application. Every one of those inherited components is a moving target for both attackers and defenders.
To navigate this risk, the industry has largely relied on a single signal: the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. Its value proposition has been irresistible. If a vulnerability is discovered in KEV and confirmed to be exploited in the wild, it deserves urgent attention. For years, that was considered the most reliable view of real threat activity.
Miggo Security’s latest research offers evidence that this assumption no longer aligns with reality.
When Confirmation Becomes a Liability
Miggo analyzed more than 24,000 open-source vulnerabilities from the GitHub Security Advisory (GHSA) database, spanning npm, PyPI, Maven, RubyGems, and others. Within that dataset, their researchers found 572 vulnerabilities that included at least one GitHub-hosted exploit repository.
Then came the comparison against KEV.
Only 69 of the 572 exploits identified by Miggo were present in KEV.
That means 88% of the vulnerabilities with working exploit code are not reflected in the KEV list.
The details make the gap even harder to dismiss:
- 407 exploits were weaponized or fully functional; KEV captured only 68
- 165 were proof-of-concept exploits; KEV captured just one
For organizations basing response plans on KEV, the implication is stark: most of the publicly available exploit code that attackers can use today remains invisible to the defensive system they rely on most.
This isn’t because KEV is flawed. It’s because KEV is confirmation-driven, and confirmation takes time. Exploitation does not.
AI Has Collapsed the Window Between Discovery and Weaponization
Miggo points to a defining shift in the cybersecurity timeline: the moment of disclosure and the moment of exploitation used to be separated by a meaningful amount of time. Organizations were able to spot high-risk vulnerabilities, gather intelligence, and patch before exploitation became widespread.
That era is gone. Miggo notes that AI now allows attackers to weaponize new vulnerabilities within minutes of disclosure. The research reinforces that the traditional pathway of disclosure, confirmation, and patching has become so compressed as to be of little use. When attackers automate exploitation and defenders wait for verified incidents, the outcome is predictable.
Miggo describes the driving forces behind this accelerating imbalance as the Four Vs of modern exploitation:
- overwhelming Volume of CVEs
- constantly mutating Variants
- machine-speed Velocity
- shrinking Visibility across dynamic and distributed applications
A list like KEV can only reflect what has already been confirmed, not what is already exploitable. The gap between these two is where risk multiplies.
Defense Must Move From Knowledge to Interruption
Miggo’s proposed solution isn’t to fix KEV, expand KEV, or replace KEV. It is to remove KEV as the dependency for timely protection.
Instead of security teams waiting for external confirmation and rushing to patch afterward, Miggo advocates for proactive runtime defense. This system evaluates whether a vulnerability is truly exploitable inside the running application and automatically deploys AI-generated virtual patching to neutralize the attack path immediately.
The white paper highlights that this approach can reduce the mean time to mitigation from weeks or months to seconds, preventing exploitation while developers work on permanent fixes. And unlike list-based methods, runtime defense does not depend on CVE publication, on KEV listing, or on evidence that exploitation has already happened.
If a vulnerability becomes exploitable within the runtime, mitigation occurs instantly, regardless of whether the vulnerability is documented or not.
The Future of Defense Is About Speed, Not Lists
KEV remains useful, but it no longer defines risk. It reflects the past, not the present. In an AI-accelerated threat landscape, defenders cannot wait for verification while attackers exploit the gap between disclosure and confirmation.
The white paper leaves little room for ambiguity: the decisive battleground of cybersecurity is no longer what the industry knows, but rather what it can stop, and how quickly.
Software has evolved into something dynamic. Protection now must do the same.
