The vulnerability management backlog is broken. If you are a VM Lead or Security Engineer today, you are likely staring at a dashboard with 10,000+ "Critical" alerts, knowing you only have the bandwidth to patch 50 of them this week.
This is the "Volume Problem."
For years, the industry standard has been CVSS (Common Vulnerability Scoring System). If a vulnerability scored 7.0 or higher, you patched it. But in 2026, relying solely on CVSS is a recipe for burnout. According to the Cyentia Institute's 2024 EPSS Report, only 6% of all published CVEs are ever exploited in the wild.
By blindly chasing high CVSS scores, teams waste 94% of their remediation effort on "ghost risks": vulnerabilities that look scary on paper but will never be used by an attacker.
The solution is not to work harder. It is to shift from Severity-Based prioritization to Risk-Based prioritization using EPSS.
Why is CVSS Broken? The Math of Burnout
CVSS was never designed to measure risk. It measures technical severity.
A CVSS score of 9.8 tells you that a vulnerability is "network exploitable, low complexity, and high impact." It answers the question: If this happens, how bad will it be?
It does not answer the question that keeps CISOs awake at 3 AM: Is this actually happening right now?
In 2024 alone, over 40,000 new CVEs were published. Attempting to patch every High/Critical finding is mathematically impossible. This "vulnerability fatigue" leads to the dangerous practice of "Risk Acceptance" by default, where teams simply ignore thousands of alerts because they cannot distinguish the signal from the noise.
CVSS vs. EPSS: The Difference Between "Severity" and "Risk"
To fix prioritization, we must understand the fundamental difference between these two metrics.
| Feature | CVSS (Severity) | EPSS (Threat) |
|---|---|---|
| Primary Goal | Measure the technical impact if exploited. | Measure the probability of exploitation in 30 days. |
| Input Data | Code analysis, vendor reports, proof-of-concept availability. | Real-time threat feeds, chatter, dark web activity, honeypot hits. |
| Update Frequency | Static. Once set, it rarely changes. | Dynamic. Scores update daily based on current threat activity. |
| The Verdict | "This could break your system." | "Attackers are trying to break this system." |
Real-World Example: The "Zero-Day" Context
Consider the MOVEit Transfer (CVE-2023-34362) breach. While it eventually received a high CVSS score, the exploit activity began before many scanners had updated definitions. Because EPSS is driven by threat feed data, it often spikes before the official NVD analysis is complete, acting as a "flash flood" warning for defenders.
Conversely, consider CVE-2024-4577 (PHP-CGI). High CVSS scores triggered panic, but EPSS data quickly showed that while the flaw was severe, the actual exploitation likelihood was lower than the hype suggested, allowing teams to prioritize more imminent threats like ConnectWise ScreenConnect (CVE-2024-1709), which hit an EPSS score of 0.94 (94%) almost immediately due to rampant ransomware usage.
The Trinity of Threat: KEV, EPSS, and Intel
While EPSS is a powerful probabilistic tool, it is not the only signal you should be listening to. Advanced "Beyond EPSS" strategies triangulate data from three distinct sources to eliminate false positives.
1. CISA KEV (The Binary Signal)
The CISA Known Exploited Vulnerabilities (KEV) catalog is deterministic. It answers a simple yes/no question: Has this been exploited?
- Decision: If a CVE is in KEV, the probability is 100%. EPSS becomes irrelevant because the event has already occurred.
- Action: These go to the front of the line, regardless of CVSS or asset value.
2. EPSS (The Probabilistic Signal)
EPSS fills the gap for vulnerabilities that haven't hit KEV yet but are about to. It predicts the future based on the present.
- Decision: If EPSS > 10% but not in KEV, you are in a "Pre-Crime" state.
- Action: Patch to prevent the inevitable.
3. Wider Threat Intelligence (The Contextual Signal)
This is where the human element returns. EPSS might show a low global probability (1%), but wider threat intelligence might reveal that a specific ransomware group targeting your specific industry (e.g., Healthcare or Finance) is experimenting with a tailored exploit.
- Sector Targeting: Is this CVE being weaponized against banks?
- Dark Web Chatter: Are "Exploit Kits" for this CVE being sold, even if attacks haven't started?
- Campaign Tracking: Is this CVE part of a known APT playbook?
4. The "Noise" Signals: Public Exploits and Chatter
Beyond formal intel feeds, pay attention to the informal signals that often precede mass exploitation.
- Public Exploit Code: If a Proof-of-Concept (PoC) appears on GitHub, Exploit-DB, or Packet Storm, the clock starts ticking.
- Blog Post Chatter: A sudden spike in security researcher blog posts, Twitter/X threads, or conference talks about a "new" vulnerability is a leading indicator.
- Vendor Advisories: When a major software vendor issues an out-of-band patch with urgent language ("actively exploited"), treat this as equivalent to KEV.
How to Implement EPSS Scoring (Step-by-Step)
Adopting EPSS doesn't mean deleting CVSS. It means using them together to filter your backlog.
Step 1: Ingest the Data
You don't need to buy a new tool to get started. FIRST.org publishes the full EPSS dataset daily as a JSON/CSV file. Most modern vulnerability scanners (Tenable, Qualys, Nucleus Security) now ingest this natively.
Step 2: Set Your Thresholds
A common starting point for a "Must Patch" SLA is an EPSS score of 0.1 (10%) or higher.
- EPSS > 60%: Immediate Emergency. This is actively being exploited.
- EPSS > 10%: High Priority. Exploitation is likely or code is available.
- EPSS < 1%: Backlog. Re-evaluate only if the score jumps.
Step 3: Handle the "Long Tail"
The majority of your vulnerabilities will fall below the 1% line. This doesn't mean they are safe; it means they are currently quiet. Automation should monitor these scores daily. If a "quiet" CVE suddenly jumps from 0.01% to 25%, it moves to the top of the queue.
The "3 AM Test": Handling High-Severity, Low-EPSS Findings
This is the most common objection from auditors: "You can't ignore a Critical CVSS 9.8 just because the EPSS is low."
You can, but you need a policy to defend it. Use this decision matrix:
| Scenario | Action | Reasoning |
|---|---|---|
| High CVSS + High EPSS | Emergency Patch (0-24 Hours) | The house is unlocked, and burglars are on the driveway. |
| Low CVSS + High EPSS | Monitor / Patch Next | Burglars are trying to get in, but they're only targeting the garden shed. |
| High CVSS + Low EPSS | Schedule (30-90 Days) | The door is unlocked, but we're on a desert island. This is where 94% of your backlog lives. |
How Do You Add Business Context to EPSS Scores?
Carnegie Mellon's SEI (Software Engineering Institute) raises a valid controversy: "EPSS is blind."
EPSS provides a global probability. It predicts the "Chance of Rain" for the entire internet. It does not know if your specific server is standing outside without an umbrella.
Relying solely on EPSS allows you to ignore global noise, but it can lead to "Internal Blindness." A vulnerability with a low EPSS score might still be catastrophic if it exists on your "Crown Jewel" database that is accessible to the public internet.
To solve this, advanced teams use the Risk Formula:
The Risk Formula
- EPSS: Is the world attacking this?
- Asset Value: Do we care if this server goes down?
- Reachability: Can the attacker actually get to this port?
By adding "Reachability" (e.g., is port 443 open to 0.0.0.0/0?), you filter the list even further. A "Critical" vulnerability on an air-gapped test server is not a risk; it's a documentation exercise.
Frequently Asked Questions about EPSS
Does EPSS replace CVSS?
No. CVSS measures severity (what happens if it explodes). EPSS measures threat (will it explode). You need both to calculate true risk.
What is a good EPSS score threshold?
Most organisations start with 10% (0.1). Data shows that patching vulnerabilities above this threshold captures the vast majority of exploited flaws while significantly reducing the workload compared to CVSS 7+.
How often does EPSS update?
EPSS scores are updated daily by FIRST.org based on new threat intelligence. A static report from last week is already obsolete.
Key Takeaways
- CVSS measures severity; EPSS measures threat. You need both for true risk prioritization.
- Only 6% of CVEs are ever exploited. Stop wasting 94% of your effort on ghost risks.
- Triangulate: KEV + EPSS + Threat Intel. No single signal is enough.
- Add business context. Risk = EPSS × Asset Value × Reachability.
The shift from severity-based to risk-based prioritization is not optional. It's survival. Organisations that master EPSS and the math of remediation will patch what matters. Everyone else will drown in vulnerability noise.