Modern security teams are overwhelmed by the sheer volume of vulnerabilities disclosed every year. CVSS scores label many of them as high or critical, yet only a tiny percentage, around 2–3% are ever exploited in the wild. Treating all “critical” vulnerabilities equally wastes time, energy, and budget. This is where the EPSS Score (Exploit Prediction Scoring System) fundamentally changes the game, bridging the gap left by traditional approaches.
EPSS shifts vulnerability management from severity-based decisions to likelihood-based prioritization, helping teams focus on vulnerabilities attackers are actually likely to exploit.
What Is EPSS?
The Exploit Prediction Scoring System (EPSS), developed by FIRST, is a machine-learning model that assigns each CVE a probability score between 0 and 1, representing the likelihood that it will be exploited in the next 30 days.
Examples:
- 0.95 EPSS → extremely high likelihood of exploitation
- 0.01 EPSS → minimal real-world risk
Unlike traditional scoring systems, EPSS incorporates real-world exploitation evidence, making it a dynamic and highly accurate indicator of attacker behavior.
Why EPSS Exists (The Problem with CVSS Alone)
CVSS has long been the industry standard for vulnerability rating, but it measures severity, not exploitability.
This leads to several operational problems:
- Many CVEs score 7.0+ High/Critical, but almost none are exploited.
- Teams end up patching thousands of vulnerabilities that pose no immediate danger.
- Low-to-medium severity vulnerabilities sometimes explode into active attack chains.
EPSS fills this critical gap by answering the question CVSS cannot:
“What is the probability this vulnerability will actually be exploited?”
EPSS Score vs EPSS Percentile
EPSS provides two key data points:
EPSS Score (0–1)
The EPSS Score is the predicted probability that a given CVE will be exploited within the next 30 days.
It is a numerical probability expressed between 0 and 1.
Key characteristics:
- Represents absolute risk: A score of 0.45 means a 45% chance of exploitation.
- Environment-agnostic: It does not depend on your infrastructure or configuration; this is a global prediction based on threat intelligence, exploit availability, attacker behavior patterns, and historical data.
- Data-driven prediction: The score is updated daily as new threat data arrives (exploits released, malware trends, attacker traffic, etc.).
EPSS Percentile (0–100%)
The EPSS Percentile indicates how a vulnerability ranks relative to all other CVEs in terms of predicted exploitation likelihood.
Key characteristics:
- Represents relative risk: It shows where the CVE stands compared to the entire CVE universe.
- Provides context at scale: Useful for teams dealing with thousands of vulnerabilities.
- Rank-based metric: Higher percentile = higher risk compared to peers.
- Not a probability: It does not tell you the exact likelihood of exploitation, only where it sits in the distribution.
How EPSS Score and EPSS Percentile Work Together
Using both metrics gives a fuller picture of exploit risk:
| Metric | Purpose | What It Tells You |
|---|---|---|
| EPSS Score | Absolute risk | “What is the exact probability this CVE will be exploited?” |
| EPSS Percentile | Relative risk | “How severe is this CVE compared to all others?” |
How EPSS Works?
1. Data-Driven Modeling
EPSS aggregates data from multiple sources:
- NVD and MITRE CVE metadata
- Exploit availability (Exploit-DB, GitHub PoCs, Metasploit)
- Honeypot and IDS/IPS telemetry
- Malware sandboxes
- Threat intelligence feeds
- Offensive security tools (Nuclei, Jaeles, Sn1per, Intrigue)
The model learns correlations between vulnerability attributes and actual exploitation attempts. This training enables EPSS to detect subtle patterns humans often miss, such as exploit timing, attacker tooling trends, and vulnerability clusters.
2. Predictive Scoring Engine
The model processes updated data and generates a probability score for each CVE. These scores are forward-looking, meaning they predict what attackers are likely to do over the next 30 days, not what happened in the past.
High scores (0.7–1.0) indicate imminent exploitation.
Low scores (<0.05) flag vulnerabilities unlikely to be targeted soon.
3. Risk-Based Vulnerability Prioritization
The core value of EPSS is its ability to guide resource-efficient vulnerability remediation.
Instead of patching thousands of “critical severity” vulnerabilities, teams can focus on the few that attackers are most actively targeting. This improves efficiency, reduces alert fatigue, and drives faster risk reduction.
4. EPSS + CVSS: Why Both Matter
CVSS measures the impact if exploited. EPSS measures the likelihood of exploitation.
When used together, they reveal true risk:
- High CVSS + High EPSS = Fix Immediately (Top Priority)
- High CVSS + Low EPSS = Patch strategically
- Low CVSS + High EPSS = Patch quickly (attackers will target it)
This combined strategy is the foundation of modern risk-based vulnerability management (RBVM).
5. Continuous Daily Updates
Vulnerabilities may gain exploit code overnight or become weaponized suddenly. EPSS models shift accordingly due to daily data refreshes, ensuring scores reflect evolving real-world attacker behavior. This allows teams to track risk changes in real time.
Examples: How EPSS Changes Real-World Prioritization
Here are three recent 2025 vulnerabilities that clearly show how EPSS can contradict assumptions based on CVSS alone:
1. CVE-2025-55752 (Apache Tomcat Vulnerability)
- CVSS: 7.5 (High)
- EPSS: ~0.003–0.005 (0.3%–0.5%)
Result:
High severity but extremely low exploitation probability → Lower priority than many medium-severity CVEs.
EPSS reveals that attacker interest is minimal because exploitation requires uncommon configurations (PUT enabled).
2. CVE-2025-54236 (“SessionReaper” Adobe Commerce / Magento)
- CVSS: 9.8 (Critical)
- EPSS: ~0.15 (≈15% estimated likelihood based on exploit availability + threat activity)
Result:
Critical severity + moderate exploitation probability → Higher priority than many critical CVEs without active exploit paths.
3. CVE-2025-59287 (WSUS Spoofing & Remote Code Execution Vulnerability)
- CVSS: 8.8 (High)
- EPSS: ~0.42 (≈42% likelihood based on active exploitation reports + threat-intel feeds)
Result:
High severity + strong exploitation probability → Higher priority than many critical CVEs with low EPSS.
This vulnerability is being actively exploited because attackers can spoof WSUS update metadata to push malicious binaries to Windows systems.
This demonstrates that:
Severity ≠ likelihood.
Likelihood = better prioritization.
How EPSS Reduces Workload by 90%
A widely cited study shows:
If you patch CVSS ≥ 7 only:
- Effort: 57% of all vulnerabilities
- Efficiency: ~4% (very low)
- Coverage: 82% exploited vulnerabilities caught
If you prioritize EPSS ≥ 10%:
- Effort: 2.7% of vulnerabilities
- Efficiency: 65%
- Coverage: 63%
This means:
- 90% fewer patches
- 10x higher accuracy
- Fewer false positives
- Faster reduction in real-world risk
Organizations with limited security resources (which is nearly everyone) benefit the most.
Key Benefits of EPSS In Vulnerability Management
- Improved prioritization: EPSS provides a probability score for a vulnerability being exploited, allowing teams to focus on the most critical threats. This is a more actionable approach than solely relying on static severity scores like CVSS.
- Reduced workload: By identifying which vulnerabilities are most likely to be exploited, security teams can work smarter and avoid getting overwhelmed by the sheer volume of vulnerabilities. This helps reduce patching efforts to focus on those with the highest actual risk.
- Enhanced threat intelligence: EPSS integrates with other security tools and threat intelligence feeds, offering a more comprehensive view of the threat landscape.
- Better risk-based decision-making: It provides an evidence-based method for prioritizing vulnerabilities, helping security and IT teams make more informed decisions about which weaknesses pose the greatest risk to sensitive systems.
- More effective reporting: EPSS provides a quantifiable measure of risk that can be used to report on the organization’s security posture to stakeholders, including executives and regulators.
- Supports incident response: During an active cyberattack, EPSS can help incident responders quickly identify and prioritize which vulnerabilities are being exploited, allowing them to act swiftly and minimize damage.
- Proactive security posture: By focusing on the vulnerabilities most likely to be targeted, organizations can shift from a reactive to a more proactive security posture, staying ahead of threats.
- API integration: EPSS can be directly integrated into existing vulnerability scanners, SIEMs, and other orchestration tools for seamless workflow automation.
When EPSS highlights high-risk vulnerabilities, platforms like Indusface WAS strengthen the workflow by automatically onboarding applications to WAAP and applying virtual patches through SwyftComply.
This means all findings are instantly shielded at the WAF layer while developers work on permanent fixes, reducing operational workload even further and minimizing exposure windows.
