Skip to content
FortaRisks
Back to the glossaryThreat intelligence

EPSS

EPSS (Exploit Prediction Scoring System) is a model that estimates the probability a vulnerability will be exploited within 30 days. Expressed from 0 to 100%, it complements CVSS by answering not 'how severe?' but 'how likely is a real attack?'.

Updated on July 2, 2026

What is EPSS?

EPSS, the Exploit Prediction Scoring System, is a statistical model maintained by FIRST. It assigns each vulnerability a probability, between 0 and 100%, of being exploited within the next thirty days. The model draws on many signals: presence of public exploit code, observed activity, characteristics of the flaw, and more.

EPSS answers a question CVSS does not ask. CVSS says how severe a flaw would be if exploited; EPSS estimates how likely it is to be exploited.

Why it matters for your organization

The challenge of vulnerability management is not finding flaws, but choosing which to fix first. In practice, only a very small proportion of vulnerabilities is ever exploited. Patching those with a high likelihood of exploitation first concentrates effort where the risk is real.

EPSS therefore lets you sharply reduce the remediation workload without raising risk, by deprioritizing flaws unlikely to be attacked.

How to use EPSS

  • As a complement to CVSS, never alone: severity and likelihood combine.
  • With thresholds tuned to your risk appetite (for example prioritizing above a certain percentage).
  • As top priority for any flaw that also appears in the CISA KEV catalog.
  • Dynamically: the EPSS score changes over time as the threat evolves.

Where organizations most often fall short

A common mistake is to keep driving remediation by severity alone, ignoring the likelihood of exploitation. Conversely, relying on EPSS alone and neglecting a severe but unlikely flaw leaves residual risk. EPSS is a powerful decision factor, not a substitute for judgment or for the context of your environment.

Frequently asked questions

What is the difference between EPSS and CVSS?

CVSS measures a flaw's potential severity; EPSS estimates the probability it will actually be exploited in the near term. The two are complementary: a vulnerability can be CVSS-critical yet have a low likelihood of exploitation, or vice versa. Combining both avoids wasting effort on theoretical risks.

Does EPSS replace the CISA KEV catalog?

No, they are complementary. EPSS is a probabilistic prediction; the CISA KEV catalog is a fact: it lists vulnerabilities with confirmed exploitation. A flaw in the KEV must be treated as top priority, regardless of its EPSS score.

Related resources

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.