Cybersecurity Technologies

EPSS (Exploit Prediction Scoring System)

The Exploit Prediction Scoring System (EPSS) is a machine learning model that estimates the probability a published vulnerability will be exploited in the wild within the next 30 days. Maintained by FIRST, EPSS produces a daily score between 0 and 1 (expressed as a percentage) for every known CVE, helping security teams focus remediation on the vulnerabilities most likely to be used in real attacks rather than treating every high-severity finding as equally urgent.

What is EPSS?

The Exploit Prediction Scoring System, or EPSS, is a data-driven model that answers a question CVSS can't: how likely is this vulnerability to actually be exploited?

Developed and maintained by FIRST (Forum of Incident Response and Security Teams), EPSS uses machine learning trained on real-world exploitation data to assign each published CVE a probability score between 0 and 1. A score of 0.95 means EPSS estimates a 95% chance the vulnerability will be exploited in the next 30 days. A score of 0.02 means a 2% chance. Scores are updated daily as new threat intelligence flows in.

The current version, EPSS v4, was released in March 2025. It covers all public CVEs and draws on signals including:

  • Exploit availability. Whether proof-of-concept or weaponized exploit code exists in public repositories, exploit databases, or underground forums.
  • Active exploitation evidence. Indicators from threat intelligence feeds, honeypots, and security vendor telemetry showing the vulnerability is being targeted.
  • Vulnerability characteristics. The CVE's age, CVSS metrics, affected product categories, and related threat actor activity.
  • Social and media signals. References to the vulnerability in security advisories, social media, news outlets, and mailing lists, which often correlate with exploitation interest.

EPSS also provides a percentile ranking that places each vulnerability relative to all other CVEs. A vulnerability at the 95th percentile has a higher exploitation probability than 95% of all known vulnerabilities.

Why EPSS matters for startups

Startups face the same vulnerability volume as large enterprises but with a fraction of the staff to address them. The Exploit Prediction Scoring System provides the exploitation intelligence needed to focus your limited remediation capacity where it counts.

Here's why it matters:

  1. CVSS severity alone doesn't predict exploitation. EPSS closes this gap by identifying which of those high-severity vulnerabilities are actually being weaponized.
  2. It dramatically reduces remediation workload. For a startup with two engineers sharing security responsibilities, that's the difference between drowning in vulnerability tickets and having a manageable remediation queue.
  3. It updates daily. Unlike CVSS, which is a static score assigned when a vulnerability is published, the Exploit Prediction Scoring System updates every day. A vulnerability that had low exploitation probability last week can spike when new exploit code is published or a threat actor begins targeting it. This makes EPSS responsive to the evolving threat landscape in a way static severity scores can't be.
  4. It pairs naturally with CVSS and KEV. The most effective vulnerability management combines all three: CVSS tells you how severe a vulnerability is. EPSS tells you how likely it is to be exploited. CISA's KEV catalog tells you if it's already being actively exploited. Together, they give you severity, probability, and confirmed threat status.

How to use EPSS in practice

For startups building a vulnerability management program, here's how to integrate the Exploit Prediction Scoring System:

  • Set EPSS thresholds in your remediation policy. For example: any vulnerability with EPSS above 0.1 (10% exploitation probability) gets treated as high priority regardless of CVSS score. This catches actively exploited medium-severity vulnerabilities that CVSS-only policies miss.
  • Use EPSS to break ties. When your scanner reports 50 high-CVSS findings and you can only patch 10 this week, sort by EPSS. The ones most likely to be exploited go first.
  • Monitor EPSS trends, not just snapshots. A vulnerability whose EPSS score jumped from 0.05 to 0.4 in a week signals emerging threat activity, even if the CVSS score hasn't changed.
  • Combine all three signals. Build a simple decision matrix: CVSS for severity, EPSS for exploitation probability, KEV for confirmed exploitation. A vulnerability that's high across all three is a drop-everything priority. High CVSS but low EPSS and not in KEV can follow your normal patch cycle.

Frequently asked questions

How accurate is EPSS at predicting exploitation?

EPSS v4 achieves an ROC AUC of 0.838, meaning it correctly distinguishes between exploited and non-exploited vulnerabilities about 84% of the time. In practical terms, vulnerabilities scored in the top 10% by EPSS account for a disproportionately large share of observed exploitation activity. No prediction model is perfect, as EPSS can't predict zero-day exploitation or attacks using vulnerabilities without CVE identifiers. But as a prioritization tool, it significantly outperforms static severity scoring alone.

Toggle answer

How often are EPSS scores updated?

EPSS scores are recalculated and published daily. Each day's scores reflect the latest threat intelligence, exploit availability data, and exploitation evidence. This means a vulnerability's EPSS score can change significantly over time as new exploit code emerges, threat actors begin targeting it, or exploitation activity subsides. You can access current scores and historical data through the FIRST EPSS API or download the daily dataset from first.org/epss.

Toggle answer

Can EPSS replace CVSS for vulnerability prioritization?

No, and it's not designed to. CVSS and EPSS measure fundamentally different things. CVSS measures technical severity (how bad a vulnerability is if exploited), while EPSS measures exploitation probability (how likely it is to be exploited). A vulnerability can be technically severe (CVSS 9.8) but rarely exploited (EPSS 0.01), or moderately severe (CVSS 5.0) but frequently exploited (EPSS 0.8). The best practice is to use both together: CVSS to understand the potential impact, and EPSS to understand the likelihood. Add CISA's KEV catalog for confirmed active exploitation, and you have a well-rounded prioritization framework.

Toggle answer

Related terms

Cybersecurity Technologies

CVSS (Common Vulnerability Scoring System)

Cybersecurity Technologies

KEV (Known Exploited Vulnerabilities)

Cybersecurity Technologies

Vulnerability Scanning

Cybersecurity Technologies

Vulnerability

Cybersecurity Technologies

Alert Fatigue

Secure your startup’s momentum

Get started

Follow us

Product

Vulnerability Scanning & ManagementSecurity MonitoringSecret ScanningCode ScanningDynamic Application Security Testing (DAST)Software Composition Analysis (SCA)Compliance & Risk ManagementIdentity & AccessIntegrations

Solutions

Resources

About us

© 2026 Fencer All rights reserved.
Terms of Service
 | 
Responsible Disclosure
 | 
Privacy Policy