Safeguard
FAQ

CVSS, EPSS, and KEV Explained: A Prioritization FAQ

CVSS measures severity, EPSS estimates exploitation likelihood, and CISA KEV lists what is actively exploited. Here is how the three differ and how to use them together.

Safeguard Team
Product & Security
6 min read

CVSS, EPSS, and KEV answer three different questions about a vulnerability. CVSS asks "how bad could this be if exploited?" and gives a severity score from 0.0 to 10.0. EPSS asks "how likely is this to be exploited soon?" and gives a probability. CISA KEV asks "is this already being exploited in the wild?" and gives a yes or no from an authoritative catalog. Teams that rely on CVSS alone drown in high-severity findings that will never be attacked; teams that combine all three fix the right things first. This FAQ explains each one and how they fit together.

Frequently Asked Questions

What is CVSS? CVSS, the Common Vulnerability Scoring System, is an open standard maintained by FIRST that rates the technical severity of a vulnerability on a 0.0 to 10.0 scale. It is built from a vector of metrics describing how a vulnerability is exploited (attack vector, complexity, privileges, user interaction) and its impact on confidentiality, integrity, and availability. The current versions in circulation are CVSS 3.1 and CVSS 4.0. It answers "how severe is this if exploited," not "will it be exploited."

What do the CVSS severity bands mean? CVSS maps its numeric score to qualitative bands: None (0.0), Low (0.1 to 3.9), Medium (4.0 to 6.9), High (7.0 to 8.9), and Critical (9.0 to 10.0). These bands are what most SLAs and policies key off. The problem is that a huge share of published CVEs land in High or Critical, so the band alone cannot tell you what to do first. Severity is necessary context but a poor standalone prioritizer.

What is EPSS? EPSS, the Exploit Prediction Scoring System, is a data-driven model from FIRST that estimates the probability a vulnerability will be exploited in the wild within the next 30 days. It outputs a probability between 0 and 1 (roughly 0 to 100 percent) that is updated daily as new evidence appears. It draws on signals like published exploit code, references, and vulnerability characteristics. EPSS answers the question CVSS cannot: how likely is exploitation, right now.

What is the CISA KEV catalog? KEV, the Known Exploited Vulnerabilities catalog, is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency of vulnerabilities with reliable evidence of active exploitation. It was launched in November 2021 under Binding Operational Directive 22-01, which requires federal civilian agencies to remediate listed CVEs by set due dates. By 2026 the catalog holds well over a thousand entries. If a vulnerability is on KEV, it is not a prediction — it is confirmed as being used by attackers.

How are CVSS, EPSS, and KEV different? They measure severity, likelihood, and confirmed exploitation respectively. CVSS is a mostly static assessment of impact, EPSS is a daily-updated probability of near-term exploitation, and KEV is a binary record of real-world attacks. A vulnerability can be Critical on CVSS but have near-zero EPSS and not be on KEV, or be Medium on CVSS yet sit on KEV with high EPSS. Using only one hides the picture the other two would reveal.

Why isn't CVSS enough on its own? Because most vulnerabilities are never exploited, and CVSS cannot tell you which ones. Research consistently finds that only a small fraction of published CVEs are ever exploited in the wild, yet a majority carry High or Critical CVSS scores. Prioritizing strictly by CVSS band therefore floods teams with severe-looking work that reduces little real risk. Severity has to be paired with likelihood and evidence to be useful for ranking.

Can you give a concrete example? Log4Shell (CVE-2021-44228) is the textbook case: CVSS 10.0, a very high EPSS score, and an early entry on CISA KEV — all three signals screaming maximum urgency at once. That alignment is exactly what a top priority looks like. Contrast it with a Critical-CVSS bug in an obscure feature that has no public exploit, a near-zero EPSS, and no KEV listing; it can reasonably wait while Log4Shell-class issues are fixed immediately.

How should I combine the three signals? Treat KEV as a near-automatic escalation, EPSS as your likelihood dial, and CVSS as the impact ceiling — then layer reachability for exploitability in your specific code. A practical rule: anything on KEV or with high EPSS and a reachable code path gets the shortest SLA; high CVSS with low EPSS and no exploit evidence gets a longer window. This blend consistently outperforms sorting by CVSS alone.

Does a low EPSS score mean I can ignore a vulnerability? No. EPSS is a probability, and a low score means low likelihood today, not zero risk forever. Scores change daily, so a currently quiet vulnerability can spike when exploit code is published. Low EPSS is a reason to deprioritize relative to higher-likelihood items, not a reason to delete the finding from tracking. Re-evaluation over time is part of using EPSS correctly.

How often do EPSS and KEV change? EPSS is recomputed daily for the full CVE population, so a score you saw last week may be materially different today. KEV is updated by CISA whenever new evidence of active exploitation is confirmed, which can be several times a week. Because both move, prioritization that ingests them must be continuous rather than a one-time snapshot. A static export goes stale quickly.

Where does reachability fit alongside these scores? Reachability adds the "is it exploitable in my code" dimension that none of the three scores provide. CVSS, EPSS, and KEV describe the vulnerability in general; reachability describes it in your application. A KEV-listed, high-EPSS vulnerability that your code never actually calls is less urgent than the same profile in a reachable path. Safeguard combines reachability with all three scores on top of software composition analysis so the ranking reflects both the world and your codebase.

How does Safeguard use CVSS, EPSS, and KEV together? Safeguard ingests CVSS (both 3.1 and 4.0 where available), daily EPSS scores, and KEV status for every finding, then folds in reachability to produce an effective priority. Griffin AI explains the ranking in plain language so a developer sees why one finding outranks another, and automated remediation can open the fix PR for the top items. If you are comparing how different vendors handle this stack, our comparison hub lays out the differences.


Want prioritization that blends severity, likelihood, and active exploitation automatically? Start free or read the scoring guide in the Safeguard docs.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.