In depth
The Exploit Prediction Scoring System (EPSS) is the modern complement to CVSS. Where CVSS rates the intrinsic severity of a vulnerability (how bad would it be if exploited?), EPSS estimates the empirical likelihood of exploitation (how likely is exploitation in the next 30 days?). The system is operated by FIRST.org and updated daily by a machine-learning model trained on observed exploit activity across honeypots, IDS feeds, security-vendor telemetry, and CISA's Known Exploited Vulnerabilities catalog.
Each EPSS score is a probability between 0 and 1, paired with a percentile rank indicating where the score sits relative to all other CVEs on that day. A CVE with EPSS 0.97 (97% probability of exploitation in the next 30 days, typically in the top 1% of all CVEs) is operationally urgent regardless of CVSS. A CVE with EPSS 0.001 and 50th-percentile rank may have a CVSS of 9.8 but is unlikely to be exploited in practice, and patching it ahead of higher-EPSS CVEs is a misallocation of remediation effort.
The data behind EPSS is the operationally interesting part. Roughly 5% of CVEs ever observe a public exploit. Of those, only a fraction are weaponised at scale. Of those, only a fraction become opportunistic-scanning targets. A naive "patch by CVSS" prioritisation strategy therefore over-patches by an order of magnitude on vulnerabilities that adversaries will never use. The EPSS-based pattern is to triage on the intersection of CVSS (severity) and EPSS (likelihood) — high on both is operational urgent; high CVSS and low EPSS is "patch on the normal cycle"; low CVSS and high EPSS is "watch closely, especially if exposed to the internet."
EPSS is most effective when combined with CISA's KEV (Known Exploited Vulnerabilities) catalog — KEV is the binary "this is confirmed exploited in the wild" signal, EPSS is the continuous "how likely is this to be exploited" signal. Mature vulnerability-management programmes consume both and adjust SLA-to-patch based on the combined signal. See VAPT services and CVSS.
Each EPSS score is a probability between 0 and 1, paired with a percentile rank indicating where the score sits relative to all other CVEs on that day. A CVE with EPSS 0.97 (97% probability of exploitation in the next 30 days, typically in the top 1% of all CVEs) is operationally urgent regardless of CVSS. A CVE with EPSS 0.001 and 50th-percentile rank may have a CVSS of 9.8 but is unlikely to be exploited in practice, and patching it ahead of higher-EPSS CVEs is a misallocation of remediation effort.
The data behind EPSS is the operationally interesting part. Roughly 5% of CVEs ever observe a public exploit. Of those, only a fraction are weaponised at scale. Of those, only a fraction become opportunistic-scanning targets. A naive "patch by CVSS" prioritisation strategy therefore over-patches by an order of magnitude on vulnerabilities that adversaries will never use. The EPSS-based pattern is to triage on the intersection of CVSS (severity) and EPSS (likelihood) — high on both is operational urgent; high CVSS and low EPSS is "patch on the normal cycle"; low CVSS and high EPSS is "watch closely, especially if exposed to the internet."
EPSS is most effective when combined with CISA's KEV (Known Exploited Vulnerabilities) catalog — KEV is the binary "this is confirmed exploited in the wild" signal, EPSS is the continuous "how likely is this to be exploited" signal. Mature vulnerability-management programmes consume both and adjust SLA-to-patch based on the combined signal. See VAPT services and CVSS.