Category: Vulnerability Management
Exploit Prediction Scoring System
Also known as:
Simply put
The Exploit Prediction Scoring System (EPSS) is a scoring system that estimates the probability that a known vulnerability will be exploited in the wild within the next 30 days. It uses a data-driven, machine-learning model to produce a daily updated probability score for published CVEs. Security teams use EPSS scores to help prioritize which vulnerabilities to remediate based on the likelihood of real-world exploitation.
Formal definition
EPSS is a data-driven, machine-learning model maintained by FIRST that produces a daily probability estimate for each published CVE, representing the likelihood that exploitation activity will be observed in the next 30 days. The model ingests signals such as threat intelligence feeds, vulnerability characteristics, and observed exploitation data to generate a score between 0 and 1. EPSS is designed to complement severity-based scoring systems such as CVSS by incorporating exploitation likelihood rather than impact or exploitability conditions alone, enabling practitioners to prioritize remediation efforts toward vulnerabilities with elevated near-term exploitation probability.
Why it matters
Most organizations face a substantial gap between the volume of published vulnerabilities and their capacity to remediate them. Severity-based scoring systems such as CVSS assess the potential impact and exploitability conditions of a vulnerability, but they do not directly indicate whether attackers are likely to target a given CVE in the near term. EPSS addresses this gap by providing a daily probability estimate for exploitation within the next 30 days, giving security teams a forward-looking signal they can use to focus remediation effort on vulnerabilities that pose an elevated, near-term risk rather than working through queues based on severity alone.
Who it's relevant to
Vulnerability Management Teams
Vulnerability management practitioners are the primary audience for EPSS. They use daily EPSS scores to rank remediation queues, apply thresholds that trigger escalated response for high-probability CVEs, and report on risk posture in terms of exploitation likelihood rather than severity counts alone. EPSS helps these teams justify prioritization decisions to stakeholders by grounding them in exploitation probability data.
Security Operations Center (SOC) Analysts
SOC analysts can reference EPSS scores when triaging alerts or assessing whether a newly disclosed vulnerability warrants immediate defensive action. A high EPSS score for a CVE affecting an exposed asset may justify accelerated investigation or temporary compensating controls while a patch is developed or deployed.
Application Security Engineers
Application security teams responsible for tracking CVEs in third-party dependencies and libraries can use EPSS scores to determine which unpatched vulnerabilities in their software supply chain carry an elevated near-term exploitation risk. This supports more targeted patch management and risk acceptance decisions for vulnerabilities that cannot be immediately remediated.
Risk and Compliance Officers
Risk and compliance professionals can incorporate EPSS scores into risk quantification models to produce more accurate representations of an organization's current threat exposure. Using exploitation probability alongside asset value and exposure context allows for risk calculations that better reflect actual attacker behavior rather than theoretical maximum impact.
Threat Intelligence Analysts
Threat intelligence practitioners can use EPSS as one input among several when assessing the urgency of a newly disclosed vulnerability. Because EPSS scores update daily based on evolving threat signals, analysts can monitor score changes as an indicator that exploitation interest in a particular CVE is increasing, which may inform broader threat reporting and advisory work.
Inside EPSS
Probability Score
A numeric value between 0 and 1 representing the estimated likelihood that a given CVE will be exploited in the wild within the next 30 days, where higher values indicate greater predicted exploitation probability.
Percentile Rank
A relative ranking that indicates how a vulnerability's EPSS score compares to all other scored CVEs, helping practitioners understand a score's significance in context rather than in isolation.
Threat Intelligence Inputs
Data sources incorporated into the model, including information about exploit code availability, references in security advisories, mentions in threat feeds, and other observable signals that correlate with active exploitation.
CVE Identifier Linkage
Each EPSS score is tied to a specific CVE identifier, allowing integration with vulnerability management workflows, scanners, and asset inventories that already track vulnerabilities by CVE.
Daily Score Updates
EPSS scores are recalculated and published daily, reflecting changes in the threat landscape such as new exploit disclosures or shifts in observed exploitation activity, meaning scores for a given CVE may increase or decrease over time.
Model Version Tracking
FIRST publishes versioned iterations of the EPSS model as the methodology evolves, allowing consumers to understand which model version produced a given score and to account for scoring differences across versions.
Common questions
Answers to the questions practitioners most commonly ask about EPSS.
Does a high EPSS score mean a vulnerability is severe or has a large potential impact?
No. EPSS scores reflect only the probability that a vulnerability will be exploited in the wild within the next 30 days. They say nothing about the severity of potential impact, the breadth of affected systems, or the consequences of exploitation. A vulnerability can carry a high EPSS score while having a low CVSS severity score, and vice versa. Organizations should use EPSS alongside severity metrics rather than as a replacement for them.
Should a low EPSS score be treated as confirmation that a vulnerability is safe to deprioritize indefinitely?
No. A low EPSS score indicates a low predicted probability of exploitation within the next 30 days based on currently observable signals, but it does not mean exploitation is impossible or will not occur later. Threat landscapes change, new exploit code may be published, and attacker interest can shift. EPSS scores should be treated as one time-sensitive input into prioritization decisions, not as permanent safety assessments.
How frequently should organizations refresh EPSS scores in their vulnerability management workflows?
Because EPSS scores are updated daily by FIRST and reflect a 30-day forward-looking prediction window, organizations that rely on stale scores risk acting on outdated probability estimates. Practical implementations typically pull updated scores at least weekly, and teams managing high-velocity environments or critical infrastructure often refresh daily. The appropriate cadence depends on the volume of open vulnerabilities and the acceptable lag between score changes and remediation prioritization decisions.
What data sources does EPSS use to generate its predictions, and what does that mean for coverage gaps?
EPSS incorporates signals such as vulnerability characteristics, reference data, and observed exploitation activity drawn from threat intelligence feeds and scanning telemetry. Because the model depends on observable exploitation signals, vulnerabilities that are being exploited in targeted or highly covert campaigns may not yet be reflected in the underlying data, which can result in lower scores for actively exploited vulnerabilities that have not yet surfaced in monitored sources. Organizations should not treat EPSS as a substitute for threat intelligence specific to their industry or adversary profile.
How should EPSS scores be combined with CVSS scores in a practical prioritization framework?
CVSS scores quantify the technical severity and characteristics of a vulnerability, such as attack vector, complexity, and potential impact, while EPSS scores estimate the near-term likelihood of exploitation. A commonly adopted approach segments the vulnerability inventory by plotting CVSS severity against EPSS probability, prioritizing remediation for vulnerabilities that score high on both dimensions, and applying risk-tolerance thresholds to decide treatment for vulnerabilities that are high on one dimension but low on the other. Neither score alone is sufficient for prioritization decisions that account for both exploitability likelihood and business impact.
Can EPSS be applied to vulnerabilities that do not yet have a CVE identifier or that affect internal proprietary software?
No. EPSS scores are generated for CVE-identified vulnerabilities and depend on the signals associated with those publicly catalogued identifiers. Vulnerabilities in internal or proprietary software that have not been assigned a CVE, as well as vulnerability classes discovered through internal research that predate public disclosure, fall outside the scope of EPSS coverage. Organizations managing such vulnerabilities must rely on other risk assessment methods, including internal threat modeling and manual exploitability analysis.
Common misconceptions
A high EPSS score means a vulnerability has already been exploited in the wild.
EPSS scores represent a forward-looking probability of exploitation within the next 30 days, not a confirmation that exploitation has occurred. A high score indicates elevated risk based on observable signals, but does not by itself confirm active exploitation.
EPSS replaces CVSS and should be used alone to determine remediation priority.
EPSS and CVSS measure different things. CVSS reflects the intrinsic severity and characteristics of a vulnerability, while EPSS estimates the likelihood of exploitation. Effective prioritization typically uses both metrics together, along with asset context and business impact considerations.
A low EPSS score means a vulnerability is safe to deprioritize indefinitely.
Because EPSS scores update daily, a low score today may increase significantly if exploit code is published or if the vulnerability begins appearing in threat feeds. Low-scoring vulnerabilities affecting critical or internet-exposed assets may still warrant timely remediation based on other risk factors.
Best practices
Combine EPSS scores with CVSS severity ratings and asset exposure context when triaging vulnerabilities, rather than relying on any single metric to determine remediation priority.
Re-evaluate EPSS scores periodically for unpatched vulnerabilities, since scores update daily and a previously low-scoring CVE may increase in predicted exploitation likelihood as new exploit signals emerge.
Use EPSS percentile rank alongside the raw probability score to understand relative risk across your vulnerability inventory, especially when communicating prioritization decisions to stakeholders unfamiliar with interpreting raw probability values.
Integrate EPSS data into automated vulnerability management pipelines via the FIRST API to ensure scoring inputs reflect the current threat landscape rather than a static point-in-time snapshot.
Establish internal thresholds for EPSS scores that trigger escalated remediation timelines, and document the rationale for those thresholds based on your organization's risk tolerance and asset criticality tiers.
Do not treat EPSS as a substitute for runtime detection or threat hunting. EPSS predicts exploitation likelihood but cannot confirm whether a vulnerability has been or is being actively exploited in your specific environment.