Most security teams subscribe to threat intelligence feeds and assume they’re covered. They’re not. We ran the numbers across 1,309 articles from 14 CTI feeds over three months, cross-referenced every extracted CVE against the CISA Known Exploited Vulnerabilities catalog, and the results are uncomfortable.
85% of exploited vulnerabilities appeared in exactly one feed. Miss that feed, miss the threat.
What We Measured
We operate an automated triage pipeline that ingests articles from 14 CTI sources – a mix of vendor research blogs, news outlets, and government advisories. Every article gets parsed for CVE identifiers, scored against a weighted signal model, and cross-referenced against the CISA KEV catalog in real time.
The KEV catalog is CISA’s list of vulnerabilities confirmed to be actively exploited. It currently holds 1,566 entries. When CISA adds a CVE, federal agencies have a mandatory remediation deadline (typically 2-3 weeks). For everyone else, a KEV listing is the clearest signal that a vulnerability has moved from theoretical to operational.
Our dataset: 1,309 articles, 321 unique CVEs extracted, 114 of those matched against KEV. Three months of collection. Every data point is verifiable.
The Coverage Matrix
Here’s what each feed actually delivered:
| Feed | Type | Articles | Unique CVEs | KEV Matches | KEV Hit Rate |
|---|---|---|---|---|---|
| Tenable Research | Vendor blog | 34 | 121 | 82 | 29.4% |
| CISA Advisories | Government | 30 | 151 | 13 | 26.7% |
| The DFIR Report | Vendor blog | 10 | 2 | 2 | 20.0% |
| Microsoft Threat Intelligence | Vendor blog | 18 | 3 | 2 | 11.1% |
| The Hacker News | News | 296 | 48 | 20 | 6.8% |
| Unit 42 | Vendor blog | 38 | 5 | 2 | 5.3% |
| Mandiant | Vendor blog | 20 | 1 | 1 | 5.0% |
| Cisco Talos | Vendor blog | 47 | 3 | 2 | 4.3% |
| BleepingComputer | News | 257 | 10 | 8 | 3.1% |
| Dark Reading | News | 225 | 6 | 4 | 2.2% |
| SecurityWeek | News | 217 | 8 | 4 | 1.8% |
| Recorded Future | Vendor blog | 66 | 1 | 1 | 1.5% |
| CrowdStrike | Vendor blog | 33 | 1 | 0 | 0.0% |
| Krebs on Security | News | 18 | 0 | 0 | 0.0% |
Two things jump out immediately.
Tenable publishes 34 articles but covers 121 unique CVEs. That’s 9.3 CVEs per article. They write Patch Tuesday roundups and vulnerability batch analyses – one article, dozens of CVEs. News outlets like The Hacker News publish 296 articles but only mention CVE IDs in 44 of them. High volume, low CVE density. Different purpose entirely.
CrowdStrike, Mandiant, Recorded Future, and Krebs on Security all matched few or zero KEV CVEs despite publishing between 18 and 66 articles each. That’s not a quality judgement – it’s a format difference. CrowdStrike writes detection-focused campaign analysis. Mandiant publishes long-form APT group research and attribution work. Recorded Future produces strategic threat landscape reporting. Krebs writes investigative journalism that often breaks stories months before anyone else. Their value is context, attribution, and narrative – the kind of intelligence that tells you who is behind an attack and why, not just which CVE they’re exploiting. A feed stack needs both: CVE-dense sources for vulnerability triage, and these sources for the operational picture that raw CVE numbers can’t give you.
Who Reports First
This is where it gets interesting.
When the same exploited CVE appears in multiple feeds, who publishes first?
| Feed Type | Times First Reporter | Percentage |
|---|---|---|
| Vendor blogs | 83 | 72.8% |
| News outlets | 18 | 15.8% |
| Government advisories | 13 | 11.4% |
Vendor research blogs report exploited vulnerabilities first nearly three-quarters of the time. News outlets amplify days later. CISA advisories confirm active exploitation but rarely break the news.
Drill down to specific feeds and the picture gets sharper:
| Feed | Times First Reporter |
|---|---|
| Tenable Research | 76 |
| CISA Advisories | 13 |
| The Hacker News | 10 |
| BleepingComputer | 6 |
| The DFIR Report | 2 |
| Everyone else | 1 each |
Tenable is the first reporter for 76 out of 114 KEV CVEs. That’s 67%. Not because they have better threat intelligence than Mandiant or CrowdStrike – because their publishing format (batch CVE analyses) captures vulnerabilities that single-article feeds skip.
The Single-Source Problem
This finding drives the rest of the analysis.
| Coverage Depth | KEV CVEs | Percentage |
|---|---|---|
| Reported by 1 feed only | 97 | 85.1% |
| Reported by 2 feeds | 12 | 10.5% |
| Reported by 3+ feeds | 5 | 4.4% |
97 exploited vulnerabilities – confirmed actively exploited, confirmed in CISA KEV – were reported by exactly one feed in our stack. Drop that feed, and those 97 CVEs disappear from your visibility entirely.
The most-covered CVE in our dataset (CVE-2026-20127) was reported by 7 different feeds. That’s the exception. The typical exploited vulnerability shows up once and nowhere else.
Who holds the exclusives?
| Feed | Exclusive KEV CVEs |
|---|---|
| Tenable Research | 75 |
| CISA Advisories | 7 |
| The Hacker News | 6 |
| BleepingComputer | 4 |
| The DFIR Report | 2 |
| Unit 42, Microsoft TI, Cisco Talos | 1 each |
Tenable is the sole reporter for 75 exploited CVEs. Remove Tenable from our feed stack and we lose visibility on 66% of our KEV-matched vulnerabilities. No other single feed comes close to that impact.
Does the Triage Scoring Actually Work?
Our pipeline scores every article using a weighted signal model. The heaviest signals – active exploitation, zero-day indicators, and KEV matches – each carry 0.35 weight. Patch advisories sit at 0.15. Generic malware mentions get 0.10, which keeps them from gaming the score through sheer volume. The model buckets articles into four priority tiers: CRITICAL, HIGH, ROUTINE, and LOW.
We validated the model against KEV ground truth:
| Priority | Articles | Had KEV Match | Accuracy |
|---|---|---|---|
| CRITICAL | 59 | 46 | 78.0% |
| HIGH | 70 | 19 | 27.1% |
| ROUTINE | 216 | 0 | 0.0% |
| LOW | 964 | 0 | 0.0% |
78% of CRITICAL-scored articles contained CVEs that are in the KEV catalog. Zero false positives in the ROUTINE and LOW buckets. The model isn’t perfect – 22% of CRITICALs had CVEs not yet in KEV (they might be added later, or might never be) – but it separates signal from noise reliably.
The signals driving CRITICAL classification tell you what matters:
| Signal | Occurrences in CRITICAL Articles |
|---|---|
| CVE mentioned | 51 |
| KEV match | 46 |
| Active exploitation language | 32 |
| Critical vulnerability language | 28 |
| Zero-day language | 27 |
| Nation-state indicators | 10 |
| Ransomware indicators | 5 |
CVE presence combined with active exploitation language is the strongest predictor. If an article mentions a specific CVE and uses phrases like “exploited in the wild” or “actively exploited,” it’s almost certainly describing a real, operational threat.
The Gap: Vendor Advisory Sources
CISA KEV references vendor security portals as its primary sources – the places where patches and vulnerability details originate. Our 14 feeds sit one layer downstream. We monitor the researchers and journalists who report on these advisories, not the advisories themselves.
Cross-referencing KEV’s reference URLs against our feed stack:
| Missing Source | KEV CVEs | RSS Available |
|---|---|---|
| Apple Security Updates | 215 | No |
| MSRC Security Update Guide | 119 | Yes |
| Chrome Releases | 32 | Yes |
| Citrix Security | 11 | No |
| Broadcom/VMware | 11 | No |
| Zero Day Initiative (Trend Micro) | 7 | Yes |
Six vendor advisory sources cover 395 KEV CVEs – 25% of the entire catalog – that our feeds learn about secondhand. We’ve since added the three with RSS feeds (MSRC, Chrome Releases, ZDI). The other three need scrapers.
The Microsoft gap is worth highlighting. We already had the Microsoft Threat Intelligence blog (priority 8 in our stack), which publishes campaign analysis and APT research. What we didn’t have was the MSRC Security Update Guide – the actual patch advisories with CVE IDs, CVSS scores, and affected product lists. Different feed, different content. The TI blog writes “Midnight Blizzard is exploiting CVE-2026-XXXX.” The MSRC feed writes “CVE-2026-XXXX: Windows Kernel Elevation of Privilege, CVSS 8.8, patch KB5xxxxx.” Both matter. We were only getting one.
What This Means for Your Feed Stack
Five takeaways from the data.
One. If you’re only monitoring news outlets (The Hacker News, BleepingComputer, Dark Reading), you’re getting amplification, not discovery. Vendor blogs report first 73% of the time. Add at least one vendor research feed – Tenable’s blog, specifically, had the highest KEV coverage by a wide margin.
Two. A single feed is not a feed stack. 85% of exploited CVEs appeared in exactly one source. Redundancy isn’t optional – it’s the difference between catching a threat and missing it entirely.
Three. Batch CVE articles (Patch Tuesday roundups, vulnerability digests) are disproportionately valuable. Tenable’s 9.3 CVEs per article means a single Patch Tuesday post catches more exploited vulnerabilities than weeks of individual news articles.
Four. Government advisories confirm, they don’t discover. CISA was the first reporter for only 13 of 114 KEV CVEs (11.4%). If your triage depends on waiting for CISA to say something, you’re late.
Five. Monitor the vendor advisory portals directly. Apple, Microsoft MSRC, Chrome Releases, and Citrix security pages are where CISA gets its data. If you can ingest these, you’re operating at the same layer CISA does – not waiting for the downstream report.
Methodology Notes
The triage pipeline extracts CVE identifiers via regex (CVE-YYYY-NNNNN pattern) from article titles and descriptions. Articles without explicit CVE IDs in the title or RSS description are counted as zero-CVE even if the full article body contains them – this is a limitation of RSS-based collection. Full-text scraping would increase CVE extraction rates, particularly for news outlets that mention CVEs deep in article bodies rather than headlines.
KEV cross-referencing happens at triage time against a cached copy of the CISA KEV JSON catalog (1-hour TTL). A “KEV match” means the article mentioned a CVE that was in the KEV catalog at the time of triage.
“First reporter” is determined by the detected_at timestamp – when our pipeline first ingested the article, not when the source published it. If two feeds publish simultaneously, whichever our poller reaches first gets the credit. Worth noting as a limitation.
The data covers February through April 2026. Feed configurations, article volumes, and KEV additions are all time-bounded. Results may vary with different collection periods.
Frequently Asked Questions
Which single CTI feed covers the most exploited vulnerabilities?
Tenable Research Blog matched 82 unique KEV CVEs from just 34 articles – a 29.4% hit rate and 75 exclusive CVEs that no other feed in our stack reported. Their Patch Tuesday roundup format (averaging 9.3 CVEs per article) captures vulnerabilities that single-article feeds miss.
Are news outlets useful for threat intelligence?
Yes, but for different reasons. The Hacker News published 296 articles and matched 20 KEV CVEs. BleepingComputer published 257 articles and matched 8. Their value is breadth of threat coverage, speed of reporting on active campaigns, and accessibility for non-specialist readers. They’re amplifiers, not primary discovery sources.
How many feeds do I actually need?
Our data shows 85% of exploited CVEs appeared in only one feed. At minimum, you need one vendor research feed (for CVE-dense technical analysis), one news outlet (for broad threat awareness), and one government source (for authoritative confirmation). Three feeds minimum, five to seven for solid coverage across vendor blog and news categories.
Does CISA KEV tell me about threats before anyone else?
Rarely. CISA was the first reporter for only 11.4% of the KEV CVEs in our dataset. The catalog’s value is authoritative confirmation that exploitation is happening and mandatory remediation deadlines for federal agencies. It’s the ground truth for validation, not a discovery tool.
Can I automate feed triage instead of reading everything manually?
Yes. Our weighted scoring model (active exploitation = 0.35, zero-day = 0.35, KEV match = 0.35, critical vulnerability = 0.25) correctly identified 78% of articles containing KEV-listed CVEs as CRITICAL priority, with zero false positives in the ROUTINE and LOW buckets. Keyword-based triage isn’t perfect, but it reliably separates the 5% that needs analyst attention from the 95% that doesn’t.
What about feeds that didn’t match any KEV CVEs?
CrowdStrike Blog (0 KEV matches from 33 articles) and Krebs on Security (0 from 18) produce excellent content that doesn’t typically include raw CVE identifiers. CrowdStrike writes detection-focused campaign analysis. Krebs writes investigative journalism. Their value is context and narrative, not indicator extraction. Don’t drop them from your stack – just don’t expect them to be your CVE early warning system.
Disclosure: This post may contain affiliate links. If you purchase through these links, we may earn a commission at no extra cost to you. See our Affiliate Disclosure for details.