What is EPSS?
EPSS, the Exploit Prediction Scoring System, is a statistical model maintained by FIRST. It assigns each vulnerability a probability, between 0 and 100%, of being exploited within the next thirty days. The model draws on many signals: presence of public exploit code, observed activity, characteristics of the flaw, and more.
EPSS answers a question CVSS does not ask. CVSS says how severe a flaw would be if exploited; EPSS estimates how likely it is to be exploited.
Why it matters for your organization
The challenge of vulnerability management is not finding flaws, but choosing which to fix first. In practice, only a very small proportion of vulnerabilities is ever exploited. Patching those with a high likelihood of exploitation first concentrates effort where the risk is real.
EPSS therefore lets you sharply reduce the remediation workload without raising risk, by deprioritizing flaws unlikely to be attacked.
How to use EPSS
- As a complement to CVSS, never alone: severity and likelihood combine.
- With thresholds tuned to your risk appetite (for example prioritizing above a certain percentage).
- As top priority for any flaw that also appears in the CISA KEV catalog.
- Dynamically: the EPSS score changes over time as the threat evolves.
Where organizations most often fall short
A common mistake is to keep driving remediation by severity alone, ignoring the likelihood of exploitation. Conversely, relying on EPSS alone and neglecting a severe but unlikely flaw leaves residual risk. EPSS is a powerful decision factor, not a substitute for judgment or for the context of your environment.