The Free Cybersecurity Tool Most Fort Worth Businesses Are Ignoring: The CISA KEV Catalog
The Free Cybersecurity Tool Most Fort Worth Businesses Are Ignoring: The CISA KEV Catalog
On April 20, 2026, the Cybersecurity and Infrastructure Security Agency added eight more vulnerabilities to its Known Exploited Vulnerabilities catalog, including three separate flaws in Cisco Catalyst SD-WAN Manager that attackers were already using in the wild. Six days earlier, they added two more. On April 1, they added one. This is a typical month. CISA has added vulnerabilities to the list most weeks since they started the catalog in 2021.
Here is the part that surprises people. The catalog is free. It is public. Anyone can subscribe to the notifications. And most Fort Worth small and mid-sized businesses have never heard of it, do not subscribe to it, and have no process for acting on the information in it. Meanwhile, according to the 2025 Verizon Data Breach Investigations Report, exploitation of known vulnerabilities climbed 34% year over year and now sits behind 20% of confirmed breaches. In other words, the attackers are reading the list. The defenders are not.
This post explains what the KEV catalog is, why it exists, and how a Fort Worth business that does not have a full-time security team can actually use it. No tools to buy. Just a different way of thinking about what to patch first.
What the KEV Catalog Actually Is
A List of What Is Being Used Right Now
The Known Exploited Vulnerabilities catalog is a running, public inventory of software flaws that CISA has confirmed are being actively exploited by attackers. Not "might be exploited someday." Not "theoretical risk." Actually being used, right now, to break into real organizations. The full catalog lists every entry with its CVE identifier, the affected vendor and product, the date it was added, the date federal agencies have to fix it by, and whether it is associated with a ransomware campaign.
As of mid-April 2026, the catalog contains well over a thousand entries covering everything from Windows operating system flaws to firewall firmware bugs to web browser vulnerabilities to industrial control system weaknesses. If you run Microsoft 365, a business firewall, a VPN, a printer management server, or pretty much any piece of commercial software, there is a real chance that at least one product in your environment has had a KEV entry in the last two years.
Why Federal Agencies Care (and Why You Should Too)
The KEV catalog is not a suggestion for federal agencies. Under a CISA directive known as Binding Operational Directive 22-01, federal civilian executive branch agencies are legally required to remediate vulnerabilities on the list within specific timeframes, usually two to three weeks from the date they are added. The April 20 Cisco additions had a federal deadline of April 23. The other April additions had deadlines in early May.
The directive does not apply to private businesses. CISA is explicit about that. What they are explicit about too is that they "strongly urge all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation" of KEV entries. When the agency tasked with protecting the nation's critical infrastructure publishes a list of the specific software flaws being used to break into organizations, the reasonable response is not to ignore it because you are not technically required to comply.
If you have a managed IT services provider, ask them whether they subscribe to KEV notifications and whether their patching process is calibrated to the list. If they look at you blankly, that answer matters.
Why Patching Is Harder Than It Sounds for a Small Business
The "We Patch Monthly" Problem
Most small businesses that have any kind of patching process at all tell us they patch monthly, usually on the second Tuesday of the month when Microsoft releases its updates. That was a reasonable cadence in 2015. It is not a reasonable cadence in 2026.
The Verizon DBIR data shows that the median time from a vulnerability being publicly disclosed to being exploited in the wild has collapsed. For some high-profile flaws, attackers have working exploits within days, sometimes hours, of disclosure. Waiting until the next monthly patch cycle to address a vulnerability that CISA added to the KEV catalog last week means you are running with a known, actively exploited flaw on your network for up to four weeks. That is the window an attacker needs.
This does not mean small businesses need to patch every minor update the moment it is released. It means the patching priority should be risk-weighted. A KEV-listed vulnerability in something you are running is in a different category than a low-severity bug that nobody is exploiting. "We patch monthly" treats those two the same. That is the problem.
The "We Don't Know What We Have" Problem
You cannot patch what you do not know you have. Most Fort Worth small businesses we talk to do not have a current, accurate inventory of the software and hardware running in their environment. The IT provider might have one. The provider before them might have had a different one. When we ask to see a list of every server, every managed switch, every firewall firmware version, every line-of-business application, and every third-party integration that has access to Microsoft 365, we get silence most of the time.
The KEV catalog only helps if you can match it against something. If CISA announces that a specific Fortinet firewall firmware version is being exploited and your IT provider cannot tell you within a day whether you are running that version, the list does not protect you. The list has been available for five years. The asset inventory is the actual hard part.
This is one of the first things we do when a Fort Worth business hires us for endpoint management. Not the patching itself. The inventory. The patching follows the inventory. Without the inventory, patching is guesswork.
Concerned about what is actually running in your environment? IT Integrations provides managed patching and asset inventory for Fort Worth businesses and the surrounding DFW area. Call us at (817) 808-1816 or contact us for a free IT assessment.
Fort Worth Industry Realities
Healthcare: Patching Inside a HIPAA Environment
Healthcare practices have a particular problem with patching. The Electronic Health Records software, the practice management software, the billing integration, and the specialty devices sitting in exam rooms all have vendor-specific requirements for what can be patched and when. We work with home health, hospice, and assisted living practices across Fort Worth that have been told by an EHR vendor that they cannot install a specific Windows update because it has not been certified against the EHR yet.
Sometimes the vendor is right. Sometimes the vendor is using that as cover for the fact that they have not tested the update yet. The difference matters. A KEV-listed vulnerability sitting on an EHR workstation in a Fort Worth practice is both a security problem and, under the recent HIPAA Security Rule updates we covered last week, a compliance problem. "The vendor said not to patch" is not a documented risk decision. It needs to be.
Construction: The Jobsite Equipment Nobody Looks At
Construction companies run software on hardware that lives in places nobody wants to be. The jobsite trailer with the five-year-old router nobody has touched. The tablet in the pickup truck running an old version of the project management app. The wireless access point at a new build site that was installed on day one and forgotten by day thirty.
That old equipment runs old firmware. Old firmware accumulates KEV entries. When a Fort Worth construction company calls us after a ransomware scare, one of the first things we find is unmanaged network gear with firmware versions that have been on the KEV catalog for months. The fix is not glamorous. It is asset management and endpoint coverage that extends to the jobsite, not just the office.
Water Utility Districts: Patching the Things You Cannot Unplug
Fort Worth is surrounded by water utility districts. They run SCADA, remote pump stations, and operational technology networks that were not designed to be patched on a modern cadence. An industrial control system at a lift station might be running software that the vendor no longer supports, on hardware that predates the iPhone. Pulling it down to patch it is a big deal. Leaving it exposed is worse.
For these environments, KEV guidance becomes triage. If a CISA entry names a product that is sitting on a water utility's OT network, you probably cannot patch it by tomorrow. What you can do is isolate it, monitor it, and put a plan in place to replace the unsupported component when the next budget cycle allows. That is the difference between knowing about the KEV entry and not knowing. The KEV entry buys you the intelligence to make the triage call. Not knowing is the worst of both worlds.
What We See When We Audit a New Fort Worth Client
Every time a new client engages us for cybersecurity or a full managed IT takeover, we run the same audit. After 20+ years of running these audits for Fort Worth businesses, here is the pattern.
We pull an inventory of every Windows machine, server, firewall, switch, and access point in the environment. We pull the firmware version on each one. We cross-reference every version against the current KEV catalog. The result is almost always the same. There are between three and nine KEV entries sitting in the environment. Usually they are on firewalls or VPN appliances that someone set up four or five years ago and that have been running in the background ever since. The business owner has no idea. The previous IT provider either did not check, did not have a process for checking, or did check and did not tell the client.
None of these cases are malicious. The MSPs we replace are usually competent general IT companies. They just are not treating vulnerability intelligence as a product they deliver. That is the gap. A Fort Worth business paying a managed IT fee every month is reasonable to expect that somebody is watching the KEV catalog on their behalf. If nobody is, the gap between what the business is paying for and what the business is actually getting is wider than it looks.
The fix, as always, is not a product. It is a process. Inventory, map against the list, patch or mitigate, repeat. That is the work.
Frequently Asked Questions
Do I need expensive tools to use the KEV catalog?
No. The catalog is public. CISA publishes it on their website, releases it as a downloadable JSON file, and offers email notifications whenever a new entry is added. The catalog itself costs nothing. What costs money is the asset inventory, the patching process, and the expertise to interpret whether a given entry actually affects your environment. Small businesses typically get this through a managed IT provider who is already doing patching as part of their flat-rate service. Large businesses layer on vulnerability scanning tools that integrate the KEV list automatically. Either way, the list itself is not the barrier to entry. The process around it is.
How often does CISA add to the catalog?
It varies. In some months, CISA adds one or two entries across the month. In other months, like April 2026, they add more than ten. The agency does not publish on a schedule. They publish when they have confirmed evidence of active exploitation, which means additions tend to cluster around major vulnerability disclosures, active campaigns, and coordinated responses to critical flaws in widely deployed products. Subscribing to the email notification list is the easiest way to keep up without manually checking the catalog every day.
If we patch everything on the KEV list, are we secure?
No, and anyone who says otherwise is selling something. The KEV catalog is a high-value subset of the total vulnerability landscape. It tells you what attackers are proven to be using. It does not tell you everything that is wrong with your environment. Configuration mistakes, weak passwords, missing multi-factor authentication, phishing, social engineering, third-party risk, and insider threat all sit outside the KEV catalog. Real cybersecurity is a stack of overlapping controls. KEV-based patching is one of the most cost-effective controls in that stack, but it is not the only one. The DBIR data is clear that credential abuse and social engineering remain as significant as vulnerability exploitation.
How is this different from just "patch Windows every month"?
Monthly Windows patching is a starting point, not a finish line. The KEV approach does two things that monthly Windows patching does not. First, it covers software and firmware beyond just Windows, including firewalls, VPN appliances, switches, printers, and third-party applications. Most breaches do not start with an unpatched Windows workstation. They start with an unpatched edge device. Second, it is risk-prioritized. When CISA adds a new entry, the signal is "attackers are using this right now." That is a different signal than "Microsoft released an update last Tuesday." A patching process calibrated to KEV entries responds within days to confirmed active threats. A patching process that only runs monthly does not.
Next Steps
If you run a Fort Worth business and you do not currently have a process for watching the KEV catalog and mapping it against what is actually running in your environment, that is the gap. Closing it is not complicated, but it does require a real inventory, a real patching cadence, and someone accountable for the work. Most Fort Worth businesses we talk to are paying for IT services that do not include any of that. Some are paying for services that do, and nobody is checking to make sure.
The good news is the KEV catalog is free, the process is well understood, and it does not require new tools or new software. It requires somebody to actually do the work every week, verify it, and tell you what they found.
Ready to close the gap between what you are paying for and what you are actually getting? IT Integrations provides managed IT and cybersecurity services for Fort Worth businesses and the surrounding DFW metro, including Aledo, Willow Park, Hudson Oaks, Weatherford, Burleson, and Azle. Call (817) 808-1816 or schedule a free IT consultation today.