So one of the FRs that came out of RSAC was to join together CVE predictions with trend data. We added a tab to the CAUSALITY web application interface to check the prediction label rating of CVEs trending there:
So far, for 2026, model recall is between 95-96%, meaning that percentage of KEV CVEs are being predicted accurately. There are 252 provable predictions in the project journal (https://github.com/opendr-io/causality/blob/main/journal.md) which are timestamped by GitHub commit history so that anyone can audit them. Every intrusion prediction, and associated incident response avoidance, saves around a thousand hours of time that goes back to the business; 252 avoided incidents is north of a quarter million hours of time.
The lift also continues to improve, compared to conventional metrics. Ninety percent of the KEV CVEs come from 19% of the population which allows for more precision risk targeting as shown below. Roughly a third of KEV CVEs are critical; 45% are high or medium; and another 30% had no severity label in the first quarter of the year. The severity label is being discontinued by NIST, for all but a subset of CVEs, this year.
ODR - openDR 