Safeguard
Security

EPSS Meaning: The Exploit Prediction Scoring System Explained

EPSS is a daily-updated probability that a given CVE will be exploited in the next 30 days. Here is what the score means and how to use it.

Aisha Rahman
Security Analyst
5 min read

EPSS stands for the Exploit Prediction Scoring System, and its meaning is a daily-updated probability, expressed as a number between 0 and 1, that a specific published vulnerability will be exploited in the wild within the next 30 days. It is produced by FIRST.org, the same organization behind CVSS, and it exists to answer a question that severity scores cannot: of all the vulnerabilities I could fix, which ones are attackers actually likely to use?

That framing is the whole point of EPSS. A CVSS score tells you how bad a vulnerability would be if exploited. EPSS tells you how probable that exploitation is. You need both to prioritize well.

What the Score Actually Represents

An EPSS score of 0.90 means the model estimates roughly a 90 percent chance the vulnerability will see exploitation activity in the next 30 days. A score of 0.02 means about a 2 percent chance. The values are recalculated and republished every day for essentially every CVE, because the threat picture shifts constantly as exploit code is released and attacker interest moves around.

EPSS also publishes a percentile alongside the raw probability. A percentile of 0.95 means the vulnerability is more likely to be exploited than 95 percent of all scored CVEs. The percentile is often the more practical number for setting a threshold, because the raw probabilities cluster low for most vulnerabilities.

How EPSS Is Built

The model is data-driven. It ingests signals including the vulnerability's age, keywords in its description, the affected vendor, CVSS metrics, mentions across the web, and whether public exploit code exists, then predicts exploitation likelihood based on observed patterns. It is retrained as new exploitation data arrives, which is why the same CVE's score changes over time.

Crucially, EPSS is empirical rather than judgment-based. It reflects what has actually been observed about how vulnerabilities like this one get exploited, not an analyst's opinion about severity. That is its strength and also a limitation to keep in mind: it is a statistical estimate, not a guarantee about any single CVE.

EPSS Versus CVSS

This is the comparison everyone asks about, and the answer is that they are complementary, not competitors.

CVSS measures intrinsic severity: how much damage, how easy to exploit in principle, what access is required. It is relatively static for a given vulnerability. EPSS measures the probability of exploitation happening soon, and it moves daily.

The failure mode of using CVSS alone is drowning in critical-severity findings, because a huge number of CVEs score high on CVSS, but only a small fraction are ever exploited. Research consistently shows most published vulnerabilities are never exploited in the wild. If you patch strictly in CVSS order, you spend enormous effort on high-severity issues that attackers ignore while a medium-severity but heavily exploited flaw waits.

The strong pattern is to combine them: prioritize vulnerabilities that are both high-severity (CVSS) and likely to be exploited (EPSS), and use EPSS to sort the flood of high-CVSS findings by real-world urgency.

Using EPSS in Practice

A workable policy looks like a two-dimensional gate. For example, treat anything with high CVSS and an EPSS percentile above a chosen threshold as an immediate patch, high CVSS with low EPSS as scheduled work, and low CVSS with low EPSS as backlog. Tune the thresholds to your risk tolerance and capacity.

The data is freely available from FIRST.org via CSV and API, so you can pull scores directly. In practice most teams get EPSS through their tooling: a software composition analysis platform can surface the EPSS score next to each finding so the prioritization happens where you already work, without manually cross-referencing a separate feed. Pair it with knowledge of what is actually reachable in your deployment and you have a genuinely risk-based queue.

What EPSS Does Not Tell You

EPSS scores a vulnerability in the abstract. It does not know whether the affected component is even present in your environment, whether it is reachable, or whether you have compensating controls. A high EPSS score on a package you do not deploy is irrelevant to you. Treat EPSS as one strong input into prioritization, layered on top of your own asset and reachability context rather than as the final word. The Safeguard academy has a fuller walkthrough of building a prioritization model from these signals.

FAQ

What does EPSS stand for?

EPSS stands for the Exploit Prediction Scoring System. It is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days.

What is a good EPSS score to act on?

There is no universal threshold; it depends on your risk tolerance and capacity. Many teams use the EPSS percentile, treating high-percentile CVEs that also score high on CVSS as urgent. Tune the cutoff to what your team can realistically patch.

Does EPSS replace CVSS?

No. CVSS measures intrinsic severity and EPSS measures exploitation likelihood. They answer different questions and work best together, using EPSS to prioritize among the many high-severity CVSS findings.

How often is EPSS updated?

Daily. FIRST.org recalculates and republishes scores every day for the full set of scored CVEs, because exploitation likelihood changes as exploit code appears and attacker attention shifts.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.