EPSS does not measure severity: it measures probability. A CVE with CVSS 9.8 may have a low EPSS if there are no public exploits or observed activity, while a CVE with CVSS 6 may have a high EPSS if active campaigns are already running. The two values answer different questions and complement each other.
What EPSS is
EPSS (Exploit Prediction Scoring System) is a framework maintained by FIRST that estimates the probability of a specific vulnerability being exploited in the next thirty days. Unlike CVSS, which measures the intrinsic technical severity of a weakness, EPSS answers an operational question: how likely is it that this is already being used against someone? The system combines public signals (publications, available exploit code, activity observed in honeypots, lists of exploited CVEs) and produces two daily values for each CVE: a probability between 0 and 1 and a percentile relative to the rest of the catalogue. Its purpose is not to replace CVSS, but to give the security team a priority order that aligns with real risk.
Why it matters
In a company with thousands of open findings, ordering by CVSS pushes the team to invest in patches that perhaps no one is using against anyone, while postponing a medium-severity vulnerability that is being actively exploited that very same week. EPSS solves that misalignment by adding a signal of real-world use to the picture. Combined with CISA's KEV (the list of vulnerabilities with confirmed exploitation) and with asset context, it drastically reduces the remediation queue. For regulatory frameworks that require risk-based prioritisation (ISO 27001, NIS2, DORA), that exercise also becomes a concrete piece of evidence rather than a narrative.
Key points
EPSS values change every day. What sat in the 30th percentile yesterday can jump to the 95th when an exploit appears on GitHub or a mass campaign is published. That is why EPSS only adds value when it is consumed frequently and integrated into the vulnerability team's prioritisation flow.
A reasonable operational policy is "remediate everything in KEV in accelerated mode, everything with EPSS above a threshold (typically 0.5 or 95th percentile) and the rest by standard SLA". That simple rule usually cuts the queue of urgent findings in half without losing coverage on real risk.
EPSS works well when crossed with asset context. A CVE with high EPSS on an isolated internal server is not the same as the same CVE on an internet-facing load balancer. The composite rule (EPSS + reachability + data criticality) is what produces honest decisions.
EPSS is not a crystal ball: there are false positives and moments when it lags behind the attacker. The point is not to seek perfect precision but to reduce backlog noise. Any honest indicator of probability is better than ordering by CVSS alone.
Modern vulnerability management platforms already enrich every finding automatically with EPSS, KEV and asset context. If an organisation still consumes plain CVSS, it is leaving remediation capacity on the table.
Example: prioritising with EPSS + KEV + asset context
A security team receives a weekly report with 1,200 open findings across corporate infrastructure. Sorted by CVSS alone, there are 180 vulnerabilities classified as critical and another 350 as high — impossible to patch within any reasonable timeframe. The team applies a composite rule: first, mark as urgent the 12 vulnerabilities that appear in KEV; then the 47 with EPSS above 0.5; within that group, prioritise those affecting internet-facing assets or assets handling sensitive data.
The result is a realistic queue of around 30 vulnerabilities to remediate within seven days, while the other 800 remain on the standard SLA. The view refreshes every twenty-four hours with the new EPSS values, so if a CVE jumps to the 99th percentile because of public exploit availability, the system promotes it automatically and surfaces it to the team. That same list is delivered to the auditor as evidence of risk-based prioritisation, aligned with NIS2 and the company's internal policy.
Common mistakes
- Replacing CVSS with EPSS. CVSS remains the technical severity metric and still appears in contracts, SLAs and policies. EPSS adds the dimension of probability; it does not replace it. The correct operational policy uses both.
- Treating EPSS as a static value. Without daily updates, the metric loses its meaning. The integration with the vulnerability management platform must bring fresh EPSS values at least once a day.
- Applying EPSS without asset context. A vulnerability with high EPSS on a non-exposed internal system may carry less real risk than another with medium EPSS on an internet-facing asset or one holding personal data.
- Ignoring KEV. A vulnerability included in KEV by CISA is already being exploited in the real world; priority must be immediate even if its EPSS is not yet the highest in the catalogue.
- Not communicating the criterion. If the prioritisation rule (EPSS + KEV + context) is not written down and shared with IT, development and suppliers, the remediation conversation has to restart with every ticket.
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
How does EPSS differ from CVSS?
CVSS describes the technical severity of a vulnerability: what theoretical impact it would have if exploited and how easy that exploitation would be. EPSS estimates the probability of that vulnerability being exploited in the next thirty days, based on signals observed in the real world. They are different questions and a mature management programme uses both.
What EPSS threshold is considered 'high'?
There is no universal threshold, but the most widely used in practice is 0.5 probability or the 95th percentile. Any CVE above those values deserves accelerated treatment in most organisations, especially if it also appears in KEV or affects an exposed asset.
How often is a vulnerability's EPSS score updated?
The EPSS project publishes a new set of values every day. That cadence matters: a vulnerability can shift from low to high probability in hours when a public exploit appears or offensive activity is observed. Vulnerability management platforms should refresh the metric at least once a day.
Does EPSS replace CISA's KEV list?
No, they are complementary. KEV is an official list of vulnerabilities with confirmed exploitation and should be treated as immediate priority. EPSS estimates probability for the entire CVE catalogue, including the vast majority that never appears in KEV. Used together, KEV marks what is already happening and EPSS what will probably happen.