EPSS — Exploit Prediction Scoring System
EPSS is the daily-updated FIRST.org probability that a CVE will be exploited in the next 30 days. Here is how to read it alongside CVSS and CISA KEV.
What EPSS is
The Exploit Prediction Scoring System (EPSS) is a daily-updated, FIRST.org-maintained model that estimates the probability a given CVE will be exploited in the wild within the next 30 days. Each CVE in the catalogue carries two numbers: a probability score in [0,1] and a percentile rank in [0,100]. The score is the model's modeled exploitation probability; the percentile is where the score sits relative to every other CVE that has a current EPSS row.
EPSS is a forward-looking signal. Unlike CVSS — which describes the inherent severity of a vulnerability if it were exploited — EPSS estimates whether anyone is likely to actually exploit it. A CVE with CVSS 9.8 but EPSS 0.001 is "critical but unlikely to be exploited right now"; a CVE with CVSS 5.5 and EPSS 0.85 is "moderate severity but actively being weaponised". Both signals are useful; neither replaces the other.
Score vs. percentile — read both
Score alone is misleading. The EPSS catalogue is heavily skewed: the vast majority of CVEs carry a score below 0.05, so a 0.10 score is far more remarkable than a casual reader would assume. The percentile rank captures that distribution. Three pairings to keep in mind:
- Score 0.001, percentile 30 — typical baseline. The model has no specific exploitation signal for this CVE.
- Score 0.05, percentile 92 — modest absolute probability but in the upper decile of the corpus. Worth investigating.
- Score 0.85, percentile 99.7 — the model has strong evidence of imminent or active exploitation. Treat as actionable.
The CVE Explore per-CVE EPSS pages render both numbers prominently and pair them with a plain-English interpretation sentence so the score is never read out of context.
Where EPSS fits in your prioritisation matrix
For a single CVE, three independent signals matter:
- CVSS — inherent severity if exploited (the impact axis).
- EPSS — modeled probability of exploitation in the next 30 days (the likelihood axis).
- CISA KEV — binary confirmation of active in-the-wild exploitation today. Whenever a CVE is on KEV, treat EPSS as redundant — KEV is the stronger ground-truth signal.
The standard playbook: patch every KEV-listed CVE immediately, then sweep EPSS > 0.5 high-severity CVEs in your asset inventory, then sweep EPSS > 0.1 in the next maintenance window. Below 0.01 routine patching cadence is appropriate; the signal-to-noise ratio collapses.
Limitations to keep in mind
- Volatility. EPSS scores re-rank daily as new exploitation signals arrive. A score that was 0.7 yesterday may be 0.3 today — the model is honest about its uncertainty, which is by design.
- No causal explanation. EPSS reports a probability; it does not explain which features (PoC publication, advisory chatter, scanner signatures) drove the score. Pair it with PoC inventory and KEV when triaging.
- Model versioning. FIRST.org has shipped multiple model versions (v1, v2, v3). Historical comparisons across version boundaries are not strictly apples-to-apples.
- Coverage gaps. A newly published CVE may not have an EPSS score for several days. Absence of an EPSS row is not "low risk" — it is "no signal yet".