What Is EPSS (Exploit Prediction Scoring System)?

What Is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model that estimates the probability that a software vulnerability will be exploited in the wild within the next 30 days. Developed by FIRST (the Forum of Incident Response and Security Teams), the same organization that maintains CVSS, EPSS provides a likelihood score between 0 and 1 (0% to 100%) for each CVE in the catalog. A score of 0.05 means there is a 5% probability the vulnerability will be exploited in the next 30 days. A score of 0.95 means a 95% probability.

EPSS addresses a critical gap in vulnerability management: the distinction between vulnerabilities that are technically severe and vulnerabilities that are actually being targeted by attackers. CVSS tells organizations how bad a vulnerability could be if exploited. EPSS tells organizations how likely it is that the vulnerability will be exploited. This distinction is essential for prioritization because security teams have limited remediation capacity and need to focus on the vulnerabilities that represent the most immediate threat.

The model is updated daily, reflecting changes in the threat landscape as new exploit code is published, threat actor campaigns target new vulnerabilities, and exploitation activity is observed in the wild. This dynamic scoring contrasts with CVSS Base Scores, which are assigned once and rarely updated. A vulnerability's EPSS score can increase dramatically overnight if a proof-of-concept exploit is published or if exploitation is observed in a major campaign.

How EPSS Works

Model Inputs and Training Data

EPSS uses a machine learning model trained on historical exploitation data, vulnerability characteristics, and threat intelligence signals to predict future exploitation probability. The model's inputs include properties of the vulnerability itself (CVSS metrics, CWE classification, affected software type), the availability and maturity of exploit code (presence in exploit databases, Metasploit modules, proof-of-concept publications), references and publication metadata (vendor advisory details, social media mentions, security researcher attention), and observed exploitation activity (honeypot data, IDS signatures, threat intelligence feeds reporting active exploitation).

The model is trained on the relationship between these inputs and the actual outcome: was the vulnerability exploited in the wild within 30 days? By analyzing patterns across hundreds of thousands of CVEs and their exploitation histories, the model learns which combinations of characteristics predict exploitation. A newly disclosed CVE with a network-based attack vector, low complexity, and publicly available exploit code has characteristics that historically correlate with near-term exploitation, and its EPSS score reflects that correlation.

Interpreting EPSS Scores

EPSS scores are not certainties. They are probabilistic estimates based on historical patterns. A score of 0.10 means that among vulnerabilities with similar characteristics, approximately 10% were exploited within 30 days historically. The model's accuracy is evaluated using standard classification metrics, and its current version demonstrates significant improvement over CVSS alone at identifying the small subset of CVEs that are actually exploited.

Why Most CVEs Have Low EPSS Scores

One of the most useful insights from EPSS is the extreme skew in exploitation probability across the CVE catalog. The vast majority of published CVEs, more than 95%, have EPSS scores below 0.10 (10% probability of exploitation within 30 days). Most have scores below 0.01 (less than 1% probability). Only a small percentage of CVEs have scores above 0.50, indicating a greater than 50% chance of exploitation.

This distribution reflects a well-known reality in threat intelligence: attackers exploit a small fraction of the vulnerabilities that are disclosed each year. Of the tens of thousands of CVEs published annually, the number with confirmed exploitation in the wild is typically in the hundreds. Attackers concentrate on vulnerabilities that are easy to exploit, widely deployed, and useful for their objectives. The majority of CVEs are disclosed, patched, and never actively exploited.

For vulnerability management programs, this distribution is actionable. If 95% of CVEs have less than a 10% chance of being exploited, then treating all critical CVSS-rated CVEs as equally urgent dramatically overstates the threat for most of them. EPSS provides the data to narrow the urgent queue to the CVEs that actually warrant immediate attention based on exploitation probability, rather than treating the entire critical and high population as equally dangerous.

EPSS vs. CVSS

EPSS and CVSS measure different things and serve different purposes in the prioritization process. CVSS measures intrinsic severity: how technically severe is this vulnerability based on its characteristics? EPSS measures exploitation likelihood: how probable is it that this vulnerability will be targeted by attackers in the near term? Neither replaces the other. Together, they provide two dimensions of a more complete risk assessment.

A vulnerability with a high CVSS score and a high EPSS score is both severe and likely to be exploited: it belongs at the top of the remediation queue. A vulnerability with a high CVSS score but a very low EPSS score is severe but unlikely to be exploited in the near term: it should be remediated, but not necessarily ahead of findings with higher exploitation probability. A vulnerability with a moderate CVSS score but a high EPSS score might not look alarming based on severity alone, but the high exploitation probability makes it a near-term threat that warrants faster remediation than its CVSS score would suggest.

Research comparing CVSS-only prioritization against EPSS-enhanced prioritization consistently shows that EPSS-based approaches achieve better exploitation coverage with less remediation effort. An organization that patches the top 10% of CVEs by EPSS score remediates a larger portion of actually-exploited vulnerabilities than an organization that patches the top 10% by CVSS score. This efficiency gain is the practical value proposition of EPSS: same or greater risk reduction with less wasted effort on vulnerabilities that are never exploited.

Using EPSS in Practice

Obtaining and Integrating EPSS Data

Integrating EPSS into a vulnerability management program involves several practical steps. First, obtain EPSS scores for the organization's open vulnerabilities. EPSS data is freely available through the FIRST EPSS API, and many vulnerability management platforms and scanners incorporate EPSS scores alongside CVSS in their findings. If the organization's scanner does not natively include EPSS, the scores can be retrieved via API and correlated by CVE identifier.

Second, incorporate EPSS into the prioritization model alongside CVSS and asset context. A simple approach is to create priority tiers: Tier 1 includes findings with both high CVSS (7.0+) and high EPSS (above a threshold, such as 0.10 or 0.30), plus any CVEs in the CISA KEV catalog. Tier 2 includes findings with high CVSS but low EPSS. Tier 3 includes findings with moderate CVSS. This tiered model ensures that the most severe and most likely-to-be-exploited vulnerabilities receive attention first.

Monitoring EPSS Trends

Third, use EPSS trends to detect emerging threats. A vulnerability whose EPSS score increases significantly from one day to the next may indicate that new exploit code was published or exploitation activity was observed. Monitoring EPSS score changes for open vulnerabilities provides an early warning system for vulnerabilities that are transitioning from theoretical to active threats.

Fourth, set EPSS-informed SLAs. Rather than applying the same SLA to all critical CVSS findings, differentiate based on EPSS: critical findings with high EPSS scores receive shorter SLAs (reflecting the near-term exploitation threat), while critical findings with very low EPSS scores receive standard SLAs. This approach directs urgency where the data supports it, reducing the volume of emergency patching without accepting additional risk.

Limitations of EPSS

EPSS is a probabilistic model, not a crystal ball. It cannot predict zero-day exploitation or exploitation by a specific threat actor with specific interest in the organization. A vulnerability with a low EPSS score can still be exploited, particularly in targeted attacks. EPSS is most useful for managing the broad portfolio of open vulnerabilities, where statistical predictions across thousands of findings provide meaningful prioritization signal. It is less useful for predicting the behavior of advanced persistent threat groups with specific targeting objectives.

EPSS does not account for organizational context. A vulnerability with a low EPSS score globally might be highly relevant to an organization in a specific industry that is being targeted by campaigns using that vulnerability. Supplementing EPSS with industry-specific threat intelligence provides additional context that the global model does not capture.

EPSS is one input, not the sole decision-maker. The most effective prioritization models combine EPSS (exploitation likelihood), CVSS (severity), CISA KEV (confirmed exploitation), asset criticality (business impact), and compensating controls (effective mitigation) into a composite risk score. EPSS significantly improves prioritization when added to this mix, but it does not replace the other dimensions of risk assessment.

EPSS in Organizational Context

While EPSS provides a global exploitation probability, organizations should consider how to contextualize this global score for their specific environment. An organization in the financial services sector targeted by threat groups known to exploit specific vulnerability classes might weight certain EPSS scores higher based on industry-specific threat intelligence. An organization with a small, tightly controlled environment might use EPSS thresholds differently than a large enterprise with thousands of internet-facing assets.

EPSS is most powerful when combined with asset context that the global model does not include. A vulnerability with an EPSS score of 0.15 on an internet-facing server processing customer data represents different organizational risk than the same EPSS score on an internal development sandbox. The EPSS score provides the exploitation likelihood dimension; the organization provides the asset criticality and exposure context. Combining both produces the most accurate prioritization.

Organizations should also track how EPSS scores correlate with their own exploitation experience. If the organization experiences incidents involving vulnerabilities that had low EPSS scores, this suggests that targeted threat activity (which EPSS may not capture) is a significant factor in the organization's threat profile, and supplementary threat intelligence should receive more weight in the prioritization model. If exploitation experience aligns well with EPSS predictions, the organization can rely more heavily on EPSS for day-to-day prioritization decisions.

EPSS Adoption Considerations

Organizations adopting EPSS should communicate the change in prioritization methodology to stakeholders. Remediation teams accustomed to working from CVSS-sorted lists need to understand why a medium-severity vulnerability might now receive higher priority than a critical one. Explaining the rationale, showing examples of high-CVSS/low-EPSS vs. moderate-CVSS/high-EPSS scenarios, and demonstrating the efficiency gains from EPSS-informed prioritization builds buy-in from teams whose workload is directly affected by the prioritization model.

Compliance teams should verify that EPSS-informed prioritization satisfies regulatory requirements. Most compliance frameworks reference vulnerability severity when defining remediation timelines but do not prescribe specific prioritization methodologies. Using EPSS to inform urgency within severity tiers, while maintaining severity-based SLAs for compliance purposes, satisfies both regulatory requirements and operational efficiency objectives. Documenting the rationale for the prioritization approach provides audit evidence that the methodology is risk-informed and defensible.