Meet the Hounds · toggle theme, then print
LAELAPS crest
MEET THE HOUNDS

LAELAPS

CISA KEV Tagging
Laelaps Hound · Category: Threat & Exposure
“Every actively-exploited vuln, caught and tagged.”

The hound fated to always catch its quarry — Laelaps never loses the scent of an actively-exploited vulnerability.

THE PROBLEM

CISA's Known Exploited Vulnerabilities catalog is the single best “fix this now” signal in security — these aren't theoretical CVEs, they're being exploited in the wild today. But pulling KEV out of thousands of findings and grouping it into something a patch team can act on is tedious, manual, and easy to let slide.

WHAT IT DOES

Laelaps instantly finds and tags every actively-exploited vulnerability in the estate. It works off the CISA-KNOWN-EXPLOITED cross-reference to tag all KEV assets at once, by catalog date, or by month in one click — and answers natural-language KEV hunts on top. The result is an exploitability backbone the entire pack keys off.

KEY CAPABILITIES

  • KEV asset tagging — every asset carrying an actively-exploited vulnerability is tagged from the CISA-KNOWN-EXPLOITED cross-reference in your own findings, putting the estate's most urgent population one filter away.
  • By-date and by-month roll-up tagging — slice the KEV backlog by catalog date, or tag an entire month in one click. A quarter's remediation debt becomes three clean, schedulable batches.
  • Per-month distinct asset counts — see exactly how many assets each month's wave touches before committing a patch window, so scoping happens before work starts, not during it.
  • Natural-language KEV queries — ask “which assets picked up KEV findings in March?” in plain English; Laelaps translates to SQL and hunts. No query language required.
  • Gated writes to the tagging log — every tag is proposed, human-approved, and recorded, so the exploitability backbone the rest of the pack depends on is also fully auditable.

HOW IT WORKS

Laelaps runs against the local navi.db built from your Tenable data: the vulns.xrefs field (CISA-KNOWN-EXPLOITED) with catalog dateAdded parsing for date- and month-level grouping. All writes are proposed, human-approved, and logged.

WHY IT'S DIFFERENT

  • Month-level bulk tagging — no per-date clicking through the catalog; a quarter's KEV backlog becomes three tags.
  • It's the exploitability backbone of the pack — the KEV signal Laelaps surfaces is what Fenrir, Pythia, and Heimdall prioritize against.
  • Evidence-based: tags come from the KEV cross-reference in your actual findings, not a memorized CVE list.
  • Gated, reviewable writes — Laelaps proposes tags; a human approves.

PROOF POINTS

  • In a reference environment of 268 assets, Laelaps surfaced:
  • 2,631 KEV findings across the estate — instantly grouped and taggable by month instead of buried in the general finding count.

Illustrative results from a demo lab — not a guarantee. KEV signals depend on scan coverage; blind or uncredentialed hosts are called out, not hidden.

WORKS BETTER WITH

Laelaps feeds the pack's heaviest hitters: Fenrir uses KEV as foothold evidence in attack paths, Pythia crosses it with AI assets, Heimdall folds it into crypto migration priority, and On the Scent rolls it into the executive exposure view.

WHO IT'S FOR

Vulnerability management leads who need a defensible “patch this first” list, and patch prioritization owners who plan remediation in waves, not one CVE at a time.

CALL TO ACTION

Ask Laelaps what's actively exploited in your estate — it always catches its quarry.

THE HOUNDS — a human-in-the-loop security agent pack for Tenable VM / Tenable One.Gated writes · Evidence-first · Honest about coverage