Exploit Prediction Scoring System (EPSS)

From a security perspective, EPSS is important because it supports better, more accurate vulnerability remediation. 

Because the EPSS model is trained on real-world exploitation attempts and vulnerability databases, it can accurately predict how likely threat actors are to exploit a vulnerability. This adds valuable context to metrics, such as the Common Vulnerability Scoring System (CVSS), allowing teams to avoid wasting time and energy remediating vulnerabilities where exploitation is unlikely.

When evaluating a vulnerability, the EPSS first ingests data on the vulnerability’s age, MITRE CVE listing, CVSS score, Common Weakness Enumeration (CWE), and associated vendor. The model also draws from the National Vulnerability Database and pulls data from security vendors, government agencies, exploitation records, and vulnerability databases. Other sources include the Cybersecurity and Infrastructure Agency’s (CISA’s) Known Exploited Vulnerabilities catalog and data gathered by FIRST and its partners. 

The EPSS model processes and analyzes this data to generate a score for each vulnerability.

EPSS differs from other vulnerability scoring systems in a few ways. 

It’s measured as a percentage, representing the chance bad actors will exploit a vulnerability. 

It’s also open-source and leverages machine learning for scoring, further setting it apart from traditional scoring.

EPSS vs. CVSS

FIRST also manages the Common Vulnerability Scoring System. This system measures how much damage a vulnerability can do if it’s exploited, a metric known as severity. 

The system assigns vulnerabilities a severity score of 0-10, with 10 being the highest. The severity score is calculated based on the following groups of metrics: 

• Base metrics: Intrinsic characteristics of the vulnerability that remain relatively constant. 

• Environmental metrics: Unique aspects of a business’s unique environment and ecosystem.

• Temporal metrics: How the vulnerability changes over time, such as by releasing new patches or exploits. 

Each CVSS vulnerability fits into one of four severity levels: None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), or Critical (9.0-10.0).

EPSS vs. CWSS

The Common Weakness Scoring System (CWSS), developed as part of the Common Weakness Enumeration (CWE) project, measures flaws or security errors in software, known as weaknesses. 

While not themselves vulnerabilities, these weaknesses are potentially exploitable by threat actors.MITRE created CWSS as a companion to its Common Weakness Enumeration (CWE) framework. This system is measured across three categories: 

• Base finding metrics: Any risk the weakness poses, the strength of existing controls, and confidence in the finding’s accuracy.

• Attack surface metrics: Roadblocks an attacker must overcome to exploit the weakness.

• Environmental metrics: Characteristics unique to each organization, such as business impact and external control effectiveness.

To calculate CWSS, each category is assigned a weighted subscore multiplied by the three scores to produce a score between 0 and 100.

What is the Exploit Prediction Scoring System (EPSS)?

The Exploit Prediction Scoring System (EPSS) is a data-driven framework developed in 2019 by FIRST to predict how likely a vulnerability will be exploited in the wild within the next 30 days. Scores range from 0–1 indicating probability, and are ranked as percentiles to help security teams prioritize effectively.

How does EPSS differ from CVSS?

CVSS (Common Vulnerability Scoring System) measures the severity of a vulnerability based on its potential impact (e.g., damage, access complexity), using a 0–10 scale. EPSS, on the other hand, predicts real-world exploit likelihood, not severity, providing a complementary perspective focused on actual attacker behavior.

What data sources are used in EPSS scoring?

EPSS trains a machine learning model on data drawn from CVE details, CVSS, CWE, vendor reports, security vendor, and government databases (such as CISA’s Known Exploited Vulnerabilities), and real-world exploit telemetry.

How often is the EPSS score updated?

Scores are refreshed daily and published in a downloadable CSV via FIRST’s EPSS portal. This frequent update allows teams to respond quickly as new exploitation trends emerge.

Can organizations reliably use EPSS for vulnerability prioritization?

Yes. EPSS has demonstrated strong predictive accuracy. The current model achieves approximately an 82% performance improvement in distinguishing exploited vulnerabilities over earlier versions. Many security teams use it to focus remediation on vulnerabilities with higher real-world threat potential.

Are there limitations to using EPSS?

EPSS predicts only the probability of exploitation, not the potential impact of a vulnerability. Low-scoring vulnerabilities may still cause significant damage, depending on the environment. EPSS also relies on past data trends and may lag slightly in predicting novel threat techniques.