<- ALL RESEARCH & ANALYSIS
NexusVoid AI Research
Annual Pentests Would Have Missed 67% of 2025's Actively Exploited Vulnerabilities
We computed the disclosure-to-exploitation window for all 245 vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog in 2025. The median window is 26 days. Under an annual pentest schedule, an expected 67.5% would never be tested before exploitation - and quarterly testing still misses 54%.
KEV, pentesting, exposure windows, CISA, vulnerability management

ANALYSIS · Original computation on public data. No new vulnerabilities were discovered in this work.
Of the 245 vulnerabilities added to CISA's Known Exploited Vulnerabilities (KEV) catalog in 2025, an expected 67.5% would never have been tested before exploitation under an annual penetration-testing schedule. A quarterly schedule still misses 54%. And 20% were exploited on or before the day they were publicly disclosed - no testing cadence can catch those at all.
The median gap between a vulnerability's public disclosure and CISA confirming active exploitation was just 26 days. Half of the year's known-exploited vulnerabilities went from unknown to actively exploited in less time than most companies take to schedule a pentest.
What we asked
For vulnerabilities that became actively exploited in 2025, how likely is it that a scheduled penetration test would have occurred between the vulnerability's disclosure and its exploitation?
How we computed it
Data: The NVD API exposes every CVE flagged in CISA's KEV catalog, including two dates per record: published (when the CVE was publicly disclosed) and cisaExploitAdd (when CISA confirmed active exploitation). One API call returns all 1,631 KEV-flagged CVEs as of 2 July 2026:
We took the 245 entries with a 2025 cisaExploitAdd date and computed each one's exposure window: cisaExploitAdd minus published.
Model: A pentest schedule with cadence C (365 days for annual, 90 for quarterly) and a uniformly random start date. A vulnerability is "missed" if no test date falls inside its exposure window - meaning the vulnerability was disclosed and exploited entirely between two consecutive tests. The probability of a miss is max(0, 1 − window/C); windows of zero or less count as always missed, since no schedule can test for an undisclosed vulnerability.
The numbers
For the 245 vulnerabilities added to KEV in 2025:
Median disclosure-to-exploitation window: 26 days
Exploited on or before disclosure day: 20.0% (49 of 245)
Exploited within 7 days of disclosure: 39.6%
Exploited within 30 days: 51.4%
Exploited within 90 days: 63.7%
Expected share never tested before exploitation, by cadence:
Annual testing: 67.5%
Semi-annual: 60.8%
Quarterly: 54.0%
Monthly: 43.0%
As a robustness check, the 2023 and 2024 KEV cohorts give annual-cadence miss rates of 67.4% and 66.2% - this is a stable property of how fast exploitation happens, not a quirk of 2025.
What this doesn't tell us
KEV listing lags real exploitation.
cisaExploitAddrecords when CISA confirmed exploitation, which is after exploitation began. True exposure windows are shorter than we measured, so the real miss rates are higher than our figures. Our numbers are a conservative floor.KEV is a floor, not a census. It only contains exploitation that was detected and confirmed. Vulnerabilities exploited quietly never enter the dataset.
We model testing opportunity, not detection ability. We generously assume any test occurring after disclosure would find and flag the vulnerability. Real-world scope limits and coverage gaps would make results worse, not better.
We excluded pre-2023 KEV cohorts from headline figures because CISA back-filled years-old vulnerabilities when the catalog launched, which distorts window lengths (the 2022 cohort's median window is 1,436 days for this reason).
The full per-CVE dataset (CVE ID, disclosure date, KEV date, window) is available as a CSV - reproducing our numbers requires the one API call above and about twenty lines of Python.
Where this fits
This is the math behind why we build continuous verification instead of point-in-time testing. A pentest is a photograph; 2025's exploitation data says the scene changes, on median, every 26 days. Whatever tests your security posture has to run more often than the thing it's protecting against - which is why our platform tests continuously rather than annually.
DATA SOURCES
CISA KEV catalog via NVD API v2.0 (published + cisaExploitAdd dates), retrieved 2 July 2026