CVSS vs. EPSS: When to Use Which

Two Dimensions of Vulnerability Risk

Risk assessment in any discipline combines two fundamental questions: how bad could the outcome be, and how likely is the outcome to occur? In vulnerability management, CVSS answers the first question (severity) and EPSS answers the second (exploitation likelihood). Each provides essential information, and neither alone captures the full picture of risk that drives effective prioritization.

CVSS (Common Vulnerability Scoring System) evaluates the technical characteristics of a vulnerability: attack vector, complexity, required privileges, user interaction, and impact on confidentiality, integrity, and availability. The output is a score from 0.0 to 10.0 that indicates intrinsic severity. CVSS is static; once assigned, Base Scores rarely change. CVSS tells organizations "if this vulnerability is exploited, the consequences would be severe" without addressing whether exploitation is probable.

EPSS (Exploit Prediction Scoring System) uses machine learning trained on real-world exploitation data to estimate the probability that a vulnerability will be exploited in the wild within 30 days. The output is a probability score from 0.0 to 1.0. EPSS is dynamic, updated daily as new exploitation data and exploit code become available. EPSS tells organizations "based on current data, this vulnerability has a specific probability of being targeted" without addressing the consequences of successful exploitation.

Neither question alone is sufficient for prioritization. A vulnerability that is highly likely to be exploited but has minimal impact (low CVSS) may be less urgent than one with devastating impact that is moderately likely to be targeted. Conversely, a vulnerability with maximum severity (CVSS 10.0) but near-zero exploitation probability (EPSS 0.001) is less urgent than a moderate-severity vulnerability (CVSS 7.5) with high exploitation probability (EPSS 0.85). Effective prioritization combines both dimensions, along with organizational context, to direct remediation effort where it reduces the most risk.

When CVSS Is Most Useful

CVSS is most useful as a classification and SLA-setting mechanism. Severity-based SLA tiers, where critical vulnerabilities (CVSS 9.0-10.0) must be remediated within 7 days, high (7.0-8.9) within 30 days, medium (4.0-6.9) within 90 days, and low (0.1-3.9) within 180 days, provide a reasonable baseline for remediation expectations. These tiers establish a common language between security and IT teams about how urgently each class of finding should be addressed.

CVSS is also useful for compliance reporting. Many compliance frameworks reference vulnerability severity levels when defining scanning and remediation requirements. PCI DSS, for example, requires that "high-risk" vulnerabilities be addressed promptly. CVSS provides the standardized severity classification that maps to these compliance requirements.

CVSS is appropriate when the goal is to understand the worst-case impact of a vulnerability, independent of the current threat landscape. During vendor risk assessment, when evaluating the security of a software product, or when comparing vulnerabilities across different products, CVSS provides a standardized severity comparison that is useful regardless of whether the vulnerability is currently being exploited.

CVSS is less useful when the goal is to decide which vulnerabilities to fix first today. The critical and high tiers typically contain too many findings for the team to address simultaneously, and CVSS provides no mechanism for distinguishing within those tiers. This is where EPSS adds the most value.

When EPSS Is Most Useful

EPSS is most useful for urgency ranking within CVSS severity tiers. Among the 500 critical CVSS findings on the remediation queue, EPSS identifies the 30 with the highest exploitation probability. Those 30 represent the most immediate threat and should receive priority remediation effort. The remaining 470 are still critical by severity and should be remediated within their SLA windows, but they are less likely to be exploited in the near term and can be sequenced after the high-EPSS findings.

EPSS is also useful for identifying moderate-severity vulnerabilities that warrant faster remediation than their CVSS score would suggest. A CVSS 6.5 vulnerability with an EPSS score of 0.90 is being actively exploited despite its moderate severity rating. Under CVSS-only prioritization, this finding would sit in the medium tier with a 90-day SLA. Under EPSS-informed prioritization, it would be escalated to a faster remediation timeline because the exploitation probability indicates near-term risk.

EPSS is valuable as an early warning system. Monitoring EPSS score changes for open vulnerabilities detects transitions from low to high exploitation probability, which often correspond to new exploit code publications or the emergence of active campaigns. A vulnerability whose EPSS score jumps from 0.02 to 0.45 overnight warrants immediate attention regardless of how long it has been open or where it sits in the current remediation queue.

EPSS is less useful for targeted threat scenarios. If threat intelligence indicates that a specific threat group is targeting the organization and is known to use a particular vulnerability, the EPSS global probability is less relevant than the targeted threat assessment. In these cases, any vulnerability known to be in the threat group's toolkit should be treated as high priority regardless of its EPSS score.

Combining CVSS and EPSS

The most effective prioritization models use both CVSS and EPSS, along with additional context, to produce a composite risk score. Several practical approaches exist for combining them.

Quadrant Model

Plot vulnerabilities on a two-axis chart with CVSS (severity) on one axis and EPSS (likelihood) on the other. The upper-right quadrant (high severity, high likelihood) represents the highest priority. The lower-left quadrant (low severity, low likelihood) represents the lowest priority. The upper-left (high severity, low likelihood) and lower-right (low severity, high likelihood) require judgment about whether to prioritize severity or likelihood for a given environment.

Tiered Model

Create priority tiers that combine both scores. Tier 1 requires both high CVSS (above 7.0) and high EPSS (above a threshold like 0.10), plus any CVE in the CISA KEV catalog. Tier 2 includes findings with high CVSS but low EPSS, or high EPSS with moderate CVSS. Tier 3 encompasses everything else. SLAs are assigned by tier rather than by CVSS alone, ensuring that Tier 1 findings receive the fastest response.

Weighted Composite Score

Calculate a composite risk score that mathematically combines CVSS and EPSS with asset criticality weights. For example: Risk = CVSS �� EPSS �� Asset_Criticality_Factor. This produces a continuous score that can be sorted and filtered, with higher scores indicating findings where severity, likelihood, and asset importance all align.

Each approach produces better prioritization outcomes than using either score alone. Research from FIRST and academic security research groups has demonstrated that combined CVSS-EPSS prioritization achieves higher exploitation coverage (remediating more of the vulnerabilities that are actually exploited) with lower effort (remediating fewer total vulnerabilities) compared to CVSS-only or EPSS-only approaches.

Beyond CVSS and EPSS

While CVSS and EPSS provide the severity and likelihood dimensions of risk, additional inputs are needed for comprehensive prioritization. The CISA Known Exploited Vulnerabilities (KEV) catalog identifies CVEs with confirmed active exploitation, providing a binary indicator that should override scoring-based prioritization: if a CVE is on the KEV, it should be at the top of the queue regardless of its CVSS or EPSS scores. Asset criticality data connects findings to business impact, ensuring that vulnerabilities on high-value systems receive appropriate weight. Compensating controls (WAF rules, network segmentation, EDR) modify the effective risk by reducing exploitability or limiting impact even when the vulnerability remains unpatched.

The progression from basic to mature prioritization follows a clear path. Stage 1 (basic) uses CVSS severity tiers. Stage 2 (improved) adds EPSS to differentiate urgency within tiers. Stage 3 (risk-based) adds asset criticality and CISA KEV status. Stage 4 (contextual) adds compensating control awareness and threat intelligence specific to the organization's industry and threat profile. Each stage produces better outcomes than the previous one, and the improvement from Stage 1 (CVSS only) to Stage 2 (CVSS plus EPSS) is typically the largest single gain in prioritization effectiveness.

Real-World Prioritization Examples

Consider two vulnerabilities discovered in the same scan cycle. Vulnerability A has a CVSS score of 9.8 (critical) and an EPSS score of 0.003 (0.3% exploitation probability). Vulnerability B has a CVSS score of 7.2 (high) and an EPSS score of 0.78 (78% exploitation probability). Under CVSS-only prioritization, Vulnerability A is remediated first because it is critical. Under EPSS-informed prioritization, Vulnerability B receives immediate attention because it has a 78% chance of being exploited within 30 days, while Vulnerability A, despite its higher severity, has a less than 1% chance of exploitation.

This scenario plays out across thousands of findings in enterprise environments. CVSS-only prioritization directs the majority of remediation effort toward findings that are technically severe but statistically unlikely to be exploited, while moderate-severity findings with high exploitation probability wait in the queue. EPSS-informed prioritization corrects this misallocation by ensuring that exploitation likelihood, not just severity, determines urgency.

A second example illustrates how CISA KEV status overrides both scores. Vulnerability C has a CVSS score of 6.8 (medium) and an EPSS score of 0.12 (12%). Normally, this finding would receive moderate priority. But Vulnerability C appears in the CISA KEV catalog, confirming that it is actively exploited in the wild. This confirmed exploitation status moves the finding to top priority regardless of its CVSS and EPSS scores. The KEV catalog provides a binary "this is being exploited right now" signal that takes precedence over probabilistic assessments.

These examples illustrate the layered nature of effective prioritization. CVSS sets the severity baseline. EPSS differentiates urgency within severity tiers. CISA KEV overrides both when confirmed exploitation is observed. Asset criticality adjusts priority based on business impact. Each layer improves the accuracy of the prioritization model, and the combined result is significantly better than any single input alone.

What Are Common Mistakes When Using CVSS and EPSS Together?

The most common mistake is treating EPSS as a replacement for CVSS rather than a complement. Organizations that abandon CVSS-based SLAs entirely and use only EPSS for prioritization lose the severity dimension. A vulnerability with a low EPSS score today might be exploited next month when new exploit code is published. The CVSS-based SLA ensures it is still remediated within a reasonable timeframe even if it never reaches high EPSS priority. EPSS determines which findings get urgent, accelerated attention; CVSS ensures everything gets addressed eventually.

Another mistake is setting EPSS thresholds too high, which filters out too many findings and creates a false sense of security. If the organization only remediates findings with EPSS above 0.50, it ignores findings with 10-49% exploitation probability, which collectively represent significant cumulative risk. Thresholds should be calibrated based on the organization's remediation capacity and risk appetite, and they should be reviewed regularly as the EPSS model evolves and the threat landscape changes.

Ignoring EPSS score changes is a third mistake. EPSS is dynamic, and a finding that was low-priority yesterday might be high-priority today because new exploitation activity was observed. Organizations using EPSS should monitor score changes for their open vulnerability population and have a process for escalating findings whose EPSS scores increase significantly. This monitoring can be automated through the EPSS API and integrated into the vulnerability management platform's alerting workflow.