Exploit Prediction (EPSS)
Predicting the probability of vulnerability exploitation before it happens
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven effort managed by FIRST.org (the same organization behind CVSS). It uses machine learning to estimate the likelihood that a software vulnerability will be exploited in the wild.
While CVSS measures the severity (impact) of a vulnerability, EPSS measures the threat (probability).
Goal: To help organizations remediate vulnerabilities that are most likely to be attacked, saving time and resources.
Understanding the Metrics
Probability Score
The direct probability that a vulnerability will be exploited in the next 30 days.
Example: 0.85 means an 85% chance of exploitation.
Percentile
How this vulnerability compares to all other scored vulnerabilities.
Example: 96th percentile means it is more likely to be exploited than 96% of all other CVEs.
CVSS vs. EPSS
| Feature | CVSS | EPSS |
|---|---|---|
| Measures | Technical Severity | Exploit Probability |
| Question Answered | "How bad would it be?" | "Will it happen?" |
| Data Source | Vulnerability Characteristics | Real-world Threat Data |
| Update Frequency | Static (mostly) | Daily |
Using EPSS Effectively
Organizations have limited resources and cannot patch every vulnerability immediately. EPSS allows for a much more efficient remediation strategy.
High Efficiency Strategy
Focus on vulnerabilities with High EPSS scores first, regardless of their CVSS score. This addresses the most likely threats to your organization.
Combined Approach
The most effective validation comes from overlaying data:
High Severity (CVSS) + High Probability (EPSS) = Critical Priority
Explore EPSS scores for your vulnerabilities
Search Vulnerabilities