Login

u/Active_Sea4060

▲ 3 r/sysadmin

Ran into this recently:

CVE-2026-31431 was weaponized in about 9 days, then added to CISA KEV.

That’s a tight turnaround if you’re relying on CVSS, vendor advisories or regular patch cycles

By the time it’s clearly “urgent,” it’s already moving.

Been testing a way to track when CVEs actually start getting used instead of just when they’re published.

Main goal is cutting noise and catching what actually matters earlier. Interested in what workflows people trust here.

reddit.com
u/Active_Sea4060 — 6 days ago
▲ 4 r/blueteamsec+2 crossposts

CVE-2026-31431 showed up in the wild roughly 9 days after disclosure, then landed in KEV.

That lag is interesting from a detection standpoint.

Are you relying on:

  • KEV as the trigger
  • vendor intel
  • internal telemetry
  • external feeds (MISP, etc.)

Or trying to catch earlier signals?

Been looking at correlating:

  • exploitation indicators
  • KEV updates
  • attention spikes (news / social chatter)

Example:
https://pingtwice.com/cve/CVE-2026-31431

Not trying to replace existing tooling, just focusing on that gap between disclosure and confirmed exploitation.

Curious how others are handling this operationally.

u/Active_Sea4060 — 4 days ago