The Exploit Prediction Scoring System (EPSS) is a data-driven standard that estimates the probability (0-100%) that a vulnerability will be exploited in the wild within the next 30 days. Unlike CVSS, which measures severity, EPSS measures threat, allowing security teams to prioritize patches based on actual risk rather than theoretical impact.
Why do we need another score?
Security teams face a mathematical impossibility. The average enterprise backlog contains over 14,000 vulnerabilities. Even fully staffed engineering teams can only remediate 5-10% of their backlog meaningfully.
For the last decade, the industry relied on the Common Vulnerability Scoring System (CVSS) to prioritize work. Ideally, teams would fix everything rated "Critical" (CVSS 9.0+). In practice, this approach fails because severity does not equal risk. A vulnerability can be theoretically catastrophic but mathematically irrelevant if no exploit code exists.
What is the difference between CVSS and EPSS?
CVSS answers the question: "How bad could this be?"
EPSS answers the question: "Will we actually get hit?"
Most holistic threat management programs fail because they conflate these two questions. They treat potential impact as immediate danger.
| Feature | CVSS (The Potential) | EPSS (The Prediction) | CISA KEV (The Proof) |
|---|---|---|---|
| Primary Question | "If exploited, how much damage?" | "What is the probability?" | "Is it happening right now?" |
| Data Source | Static Code Analysis | Dynamic Threat Intelligence | Confirmed Forensic Evidence |
| Update Frequency | Static (Rarely changes) | Daily (Real-time) | Ad-hoc (Upon discovery) |
A Brief History of Prediction
We cannot fix what we cannot predict. The EPSS effort began in 2019 at Black Hat, where researchers questioned the industry's obsession with severity over utility.
- 2019The Hypothesis: Jay Jacobs and team present "The Exploit Prediction Scoring System" at Black Hat USA. They propose that exploitability is learned behavior, not a static property.
- 2021EPSS v1 (The Launch): First public release. It used a logistic regression model. Good, but conservative.
- 2023EPSS v3 (The Leap): Shifted to an XGBoost model. Data coverage exploded. Reliability crossed the threshold for enterprise automation.
How is EPSS calculated?
The Forum of Incident Response and Security Teams (FIRST) maintains the EPSS model. It processes variables daily to generate a probability score for every published CVE.
Deep Dive: Inside the Black Box (EPSS v4)
While the exact algorithm (an XGBoost classifier) processes 1,466 input features, the most important signals fall into three buckets.
- 1. Exploit Code Maturity (The "Gun")
The best predictor is the existence of tools.
• Proof-of-Concept: Python script crashes server? Score ticks up (+0.05).
• Weaponized: Added to Metasploit? Score jumps significantly (>0.60).
• Automated: Wrapped into a botnet? Score hits ceiling (>0.90). - 2. Vector & Complexity (The "Path")
EPSS ingests the CVSS vector but interprets it differently. Remote bugs are widely more valuable to Threat Actors than Local ones. Attackers prefer "unauthenticated" exploits.
- 3. Social Signal (The "Chatter")
EPSS monitors security twitter and dark web forums. The "Hype" Effect matters because hackers prioritize what everyone is talking about.
Key Takeaway: EPSS is not looking for vulnerability; it is looking for capability and intent.
Understanding the "Hockey Stick" distribution
Vulnerability Exploitation Probability
The distribution of EPSS scores is heavily skewed. Most vulnerabilities (over 95%) have an EPSS score below 0.1%. By filtering out this "noise," teams can focus on the 5% that matter.
What is a "High" EPSS score?
An EPSS score of 0.1 (10%) is not low; it is extremely high. Use these thresholds:
- EPSS > 10% (0.1): Emergency. Fix immediately. (96th percentile danger)
- EPSS > 1% (0.01): Priority. Schedule for next sprint.
- EPSS < 1% (<0.01): Backlog. Monitor.
How do I operationalize EPSS in my pipeline?
You require a triage logic we call the Risk Triangle.
Script: Automating EPSS Checks
Because EPSS updates daily, you should not hardcode scores. Use the FIRST.org API to check your key CVEs dynamically. Here is a production-ready Python snippet to query the score for a specific CVE.
import requests
import json
def get_epss_score(cve_id):
"""
Fetch EPSS score from FIRST.org API.
A score > 10% (0.1) is considered CRITICAL.
"""
url = f"https://api.first.org/data/v1/epss?cve={cve_id}"
try:
response = requests.get(url, timeout=5)
response.raise_for_status()
data = response.json()
if data['data']:
score = float(data['data'][0]['epss'])
percentile = float(data['data'][0]['percentile'])
return score, percentile
return 0.0, 0.0
except Exception as e:
print(f"Error fetching EPSS: {e}")
return None
# Check Log4Shell (CVE-2021-44228)
cve = "CVE-2021-44228"
score, percentile = get_epss_score(cve)
print(f"[{cve}]")
print(f"Probability: {score * 100:.2f}%")
print(f"Percentile: {percentile * 100:.2f}th")
if score > 0.1:
print("🚨 ACTION: REMEDIATE IMMEDIATELY")Can EPSS replace CVSS?
No. They measure different things. Removing CVSS would leave you blind to impact. If a low-probability vulnerability does get exploited, and it allows full database access (High CVSS), you need to know that.
The modern standard is CVSS + EPSS. One defines the bomb size; the other defines the likelihood of the fuse being lit.