EPSS Scores Explained: Exploit Prediction for Vulnerability Prioritization

What Is EPSS?

EPSS is a model developed by FIRST.org (the Forum of Incident Response and Security Teams) that estimates the probability that a CVE will be exploited in the wild within the next 30 days. The model is updated daily and produces a probability score between 0 and 1 for every CVE in the NVD.

Unlike CVSS, which rates the theoretical severity of a vulnerability based on its technical characteristics, EPSS predicts real-world exploitation activity. A vulnerability might have a CVSS score of 9.8 (Critical) but an EPSS probability of 0.001, meaning that despite its severity, it is extremely unlikely to be exploited. Conversely, a Medium-severity vulnerability with an EPSS probability of 0.85 is very likely to see active exploitation.

How EPSS Scores Are Calculated

The EPSS model uses machine learning trained on historical exploitation data. It considers dozens of features for each CVE, including:

• Whether public exploit code exists (e.g., in Exploit-DB or Metasploit)
• The age of the CVE and time since publication
• CVSS base score metrics (attack vector, complexity, privileges required)
• The presence of the CVE in threat intelligence feeds
• References to security advisories, patches, and vendor bulletins
• Social media and dark web mentions

The model outputs two values for each CVE: a probability (the raw likelihood of exploitation) and a percentile (how this CVE compares to all other CVEs). A percentile of 0.95 means this CVE has a higher exploitation probability than 95% of all known CVEs.

Understanding Percentiles

The percentile is often more actionable than the raw probability. Most CVEs have very low exploitation probabilities -- the median EPSS score is well below 0.01. Percentiles help teams set consistent thresholds regardless of shifts in the overall distribution.

These thresholds are examples. Teams should calibrate them based on their risk tolerance, asset criticality, and remediation capacity.

EPSS vs. CVSS: Why Both Matter

CVSS and EPSS answer different questions. CVSS answers "how bad could this be?" while EPSS answers "how likely is this to actually happen?" Neither replaces the other. A comprehensive prioritization strategy uses both: CVSS to understand impact potential, EPSS to understand exploitation likelihood.

Research has shown that prioritizing by CVSS alone results in significant over-remediation. Many Critical-severity CVEs are never exploited, while some Medium-severity CVEs with public exploits are widely attacked. EPSS helps teams focus their limited patching capacity where it matters most.

For more on CVSS scoring, see our guide on understanding the NVD and CVSS.

How ScanRook Uses EPSS

ScanRook enriches every finding with EPSS data by default. Each finding in a scan report includes the EPSS probability, percentile, and the date the score was last updated. This data is fetched from the FIRST.org EPSS API and cached alongside NVD and OSV data.

In the ScanRook web dashboard, findings can be sorted and filtered by EPSS percentile, making it straightforward to identify the vulnerabilities most likely to be exploited. Combined with CISA KEV tagging, teams get a clear picture of both predicted and confirmed exploitation activity.

Learn more about ScanRook's enrichment pipeline in the enrichment documentation.

Practical Recommendations

1. Use EPSS percentile thresholds to triage your backlog, not just CVSS severity ratings.
2. Combine EPSS with CISA KEV status for a two-signal prioritization model: predicted exploitation plus confirmed exploitation.
3. Revisit EPSS scores regularly. The model updates daily, and scores can change as new exploit code or threat intelligence emerges.
4. Track EPSS trends over time. A CVE whose EPSS score is rising may warrant earlier attention even if it has not crossed your threshold yet.

Further Reading