Cyber Posture

Threat trends

What threat-side signals — exploitation, attribution, KEV listings — are moving?

Charts here derive from CISA's KEV catalog (confirmed exploited), vendor advisory attribution, and ATT&CK technique tags on CVEs. They are not live attacker telemetry; the page measures what is publicly observable about threat activity through CVE-side signals.

Last updated: 2026-05-15 11:31 UTC

CISA KEV — additions per month

→ How fast is CISA adding CVEs to the Known Exploited Vulnerabilities list? A rising bar means more confirmed-exploited threats are reaching ops teams.

Time from publication to KEV listing

→ For each KEV-listed CVE: how long after publication did CISA add it? Same-day means actively exploited at disclosure; years-later means it was a sleeper that became dangerous later.

Ransomware-attributed share of new KEV entries

→ For each quarter, the fraction of new KEV-catalog entries flagged by CISA as knownRansomwareCampaignUse=“Known”. A rising bar means ransomware operators are claiming a larger share of the confirmed-exploited cohort — ops teams should weight these CVEs higher in patching priority.

Attacker-attributed CVEs — weekly

→ Weekly count of CVEs where our actor-attribution pass identified at least one named threat-actor (e.g. Conti, Lazarus, APT41) exploiting the CVE. Data lives in cve_actor_attribution. Coverage is partial — the annotator runs daily over CVEs with synthesised summaries; recent weeks may grow as the backfill catches up.

ATT&CK techniques mapped to recent CVEs — rank shift

→ The top-15 MITRE ATT&CK Enterprise techniques in each of 2024, 2025, and 2026 YTD by how often they appear on annotated CVEs. This is a coverage signal on the CVE corpus — what attacker techniques the published CVEs enable. It is not a measure of which techniques attackers actually use. Limited to CVEs with ATT&CK annotations.

Tactic coverage of recent CVEs (Σ EPSS)

→ For each month, Σ EPSS of CVEs whose ATT&CK techniques map to each tactic. A CVE counts toward every tactic its techniques span. A rising band means newly-disclosed CVEs are giving attackers more material in that attack stage; not a direct telemetry signal. Limited to CVEs with ATT&CK annotations.

Active anomalies — Threat lensAI

→ Auto-detected each daily run. KEV velocity, technique mapping shifts, tactic-pressure jumps. Resolves when the metric stops triggering.

No active anomalies in this lens.