EPSS (Exploit Prediction Scoring System)
What is EPSS (Exploit Prediction Scoring System)?
EPSS (Exploit Prediction Scoring System)A data-driven model, maintained by FIRST, that estimates the probability a given CVE will be exploited in the wild within the next 30 days.
EPSS combines machine learning with real-world signals — published exploits, threat-intelligence telemetry, vendor advisories, social-media chatter — to produce two numbers per CVE: a probability (0–1) and a percentile rank. It complements CVSS by answering not how bad a flaw could be in theory, but how likely it is to actually be exploited soon. Vulnerability-management programmes use EPSS to triage huge backlogs: a critical CVSS issue with a very low EPSS may wait, while a medium CVSS issue with a high EPSS and KEV listing often jumps the queue. Scores are refreshed daily.
● Examples
- 01
A CVE with EPSS probability 0.97 and percentile 99 — almost certainly being exploited.
- 02
A 9.8 CVSS bug with EPSS 0.001 — severe but unlikely to be attacked imminently.
● Frequently asked questions
What is EPSS (Exploit Prediction Scoring System)?
A data-driven model, maintained by FIRST, that estimates the probability a given CVE will be exploited in the wild within the next 30 days. It belongs to the Vulnerabilities category of cybersecurity.
What does EPSS (Exploit Prediction Scoring System) mean?
A data-driven model, maintained by FIRST, that estimates the probability a given CVE will be exploited in the wild within the next 30 days.
How do you defend against EPSS (Exploit Prediction Scoring System)?
Defences for EPSS (Exploit Prediction Scoring System) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for EPSS (Exploit Prediction Scoring System)?
Common alternative names include: EPSS score.