EPSS

EPSS, the Exploit Prediction Scoring System, is a data-driven model maintained by FIRST.org that estimates the probability a given CVE will be exploited in the wild within the next 30 days. The output is a probability between 0 and 1: a higher value means the vulnerability is more likely to see real-world exploitation activity in the near term.

EPSS is deliberately a likelihood signal, not a severity rating. It answers "how likely is this to be attacked soon", which is a different question from "how bad is it if it is exploited". That makes it a complement to CVSS, not a replacement.

CVSS describes the inherent severity of a vulnerability but says nothing about whether attackers are actually going after it. Many high-CVSS vulnerabilities are never widely exploited, while some lower-scored ones become favorite attacker targets. Using severity alone to order remediation spends effort on findings that pose little practical threat while genuinely active ones wait.

EPSS adds the missing dimension. By pairing a probability of near-term exploitation with severity, teams can focus on vulnerabilities that are both serious and likely to be attacked. This is a core input to vulnerability prioritization and pairs naturally with the confirmed-exploitation signal from the CISA KEV catalog.

EPSS is produced by a model that FIRST.org refreshes regularly, so a CVE's probability changes over time as exploitation evidence and threat data evolve. A vulnerability can sit at a low probability for months and then climb sharply once exploitation tooling becomes available. Treating EPSS as a live signal, re-read on a schedule, rather than a one-time lookup is part of using it correctly.

EPSS and CVSS work best as orthogonal axes: severity on one, exploitation likelihood on the other. A finding that is high on both is an obvious priority. A high-severity, low-likelihood finding can often wait, especially if compensating controls are already in place. This is why a risk-based program reads both, plus asset context from the cyber asset inventory, rather than any single number.