exploit prediction scoring system (EPSS)

Charlie Yianni
#
min read
Back to glossary

What is EPSS? 

EPSS stands for Exploit Prediction Scoring System. Developed by FIRST.org, it’s a data-driven model for estimating how likely it is that a given software vulnerability will be exploited in the wild. 

What is an EPSS score?

The EPSS score is a number between 0 and 1 (or sometimes shown as a percentage) that predicts the likelihood a vulnerability will be exploited in the next 30 days. A higher score means a higher chance of being attacked.

For example:

  • A score of 0.01 = very unlikely to be exploited
  • A score of 0.8 = high likelihood of exploitation

What’s the difference between EPSS and CVSS?

EPSS doesn’t replace CVSS, which measures how severe a vulnerability is. Instead, EPSS tells you how urgent the fix is based on what attackers are likely to go after.

How is EPSS calculated? 

The model works by collecting a wide range of vulnerability information from various sources, such as:

  • The age of the vulnerability - How long it has been publicly known
  • CWE categories - The type of coding weakness associated with the vulnerability
  • CVSS metrics - Severity scores sourced from NVD
  • How often the vulnerability is mentioned - Including on security sites, public lists like CISA KEV, and research initiatives like Google Project Zero
  • Availability of public exploits - Whether working exploit code is shared on platforms like Exploit-DB
  • Mentions in offensive security tools and scanners - Such as Nuclei
  • Descriptive language in the CVE entry - Multiword phrases and patterns found in the CVE’s published description

Using machine learning, the model is trained to identify subtle patterns between these data points to predict the likelihood of future exploitation. The goal is to reflect what’s happening in the real world - not just what could happen in theory.

How to use EPSS

EPSS is best used alongside CVSS and other context. Security teams often:

  • Use CVSS to understand impact and technical severity
  • Use EPSS to understand likelihood of exploitation
  • Combine both to prioritize remediation

For example, if a vulnerability has a high CVSS score but a low EPSS score, it may be less urgent. But if both scores are high, it should go to the top of your list.

Platforms like Intruder integrate EPSS scores to help users focus on vulnerabilities that pose the most risk.

Why EPSS matters

Just because a vulnerability exists doesn’t mean hackers will use it. There are thousands of vulnerabilities out there, and most companies don’t have the resources to fix them all right away.

EPSS helps security teams prioritize what to fix by focusing on what’s actually being targeted. 

In a nutshell, EPSS helps:

  • Cut through the noise
  • Prioritize limited time and resources
  • Reduce real-world risk

How to use EPSS in your vulnerability management program

An exposure management platform like Intruder displays EPSS scores alongside the security issues it discovers in your systems.

EPSS scores shown in Intruder

Get your EPSS scores by starting a free trial of Intruder for 14 days.

Sign up for your free 14-day trial

Try for free
Charlie Yianni
Cyber Security Content Specialist

Sign up for your free 14-day trial

Try for free