Safeguard
Security

What Is an EPSS Score? A Practical Security Guide

A practical guide to the EPSS score: what it measures, how the score and percentile differ, and how to use EPSS to prioritize which CVEs to fix first.

Aisha Rahman
Security Analyst
6 min read

An EPSS score is a probability, between 0 and 1, that a given vulnerability will be exploited in the wild within the next 30 days, and its purpose is to help you fix the CVEs most likely to actually be attacked rather than just the ones with the scariest severity rating. The Exploit Prediction Scoring System is maintained under FIRST.org, the same organization behind CVSS, and it answers a question CVSS was never designed to answer: not "how bad could this be," but "how likely is this to happen." For anyone drowning in vulnerability alerts, that shift is the whole point.

Why EPSS exists

Traditional prioritization leans on CVSS, the severity score that rates how damaging a vulnerability would be if exploited. CVSS is useful, but it has a well-known weakness as a to-do-list sorter: a large share of all CVEs score "high" or "critical," and only a small fraction of vulnerabilities are ever exploited in practice. If you patch strictly in CVSS order, you spend enormous effort on serious-looking flaws that no attacker will ever touch, while a medium-rated bug under active exploitation waits in the queue.

EPSS was built to fix that mismatch. Instead of measuring theoretical impact, it estimates the real-world likelihood of exploitation, so you can aim remediation effort where attackers are actually operating.

How the EPSS score is produced

EPSS is a data-driven machine-learning model, specifically a gradient-boosted classifier, trained on historical records of which vulnerabilities were exploited and which were not. It ingests a large set of signals for each CVE, including things like the age of the vulnerability, its CVSS characteristics, whether public exploit code exists, and mentions across security discussion, forums, and scanner telemetry. From those inputs it produces the 0-to-1 probability.

Two things make it practical:

  • It updates daily. EPSS publishes a fresh score for every CVE every day, so a vulnerability's likelihood rises when exploit code drops or chatter spikes, and settles when interest fades. A score is a snapshot of the current 30-day outlook, not a permanent label.
  • It is free and open. The data is published openly via CSV and an API, so you can pull it into your own tooling without a license.

Score versus percentile: the part people get wrong

Every CVE gets two EPSS numbers, and confusing them leads to bad decisions.

The score is the raw probability. A score of 0.10 means the model estimates roughly a 10 percent chance of exploitation in the next 30 days.

The percentile tells you how that score ranks against every other scored CVE. A percentile of 0.95 means this vulnerability has a higher exploitation probability than 95 percent of all known CVEs.

The percentile is often the more useful lever, because raw scores cluster very low. A score of 0.02 sounds trivial, but if most CVEs score below 0.01, that 0.02 can sit around the 70th percentile, meaning it is more likely to be exploited than the majority of vulnerabilities out there. Reading the raw number alone would make you dismiss something the percentile flags as relatively urgent.

Using EPSS to prioritize

EPSS is a prioritization input, not a verdict. The strongest use combines it with two other things you already know:

  • Severity (CVSS): how bad the impact would be.
  • EPSS: how likely exploitation is.
  • Context: is the affected component actually reachable and exposed in your environment?

The high-value quadrant is high impact and high likelihood and exposed. A common, defensible policy looks like: "Fast-track any vulnerability above an EPSS threshold (say a high percentile) that is also reachable in production; handle the rest on a routine cadence." That single rule cuts a report of thousands of findings down to a shortlist a small team can actually clear.

A caution worth stating: a low EPSS score is not a guarantee of safety. The model predicts near-term mass exploitation trends; it does not know that a specific attacker is targeting you specifically, and brand-new vulnerabilities can score low simply because there is not yet data. Treat EPSS as a strong statistical prior, then apply judgment for anything internet-facing or business-critical.

EPSS alongside KEV and CVSS

Two other signals pair naturally with EPSS. CISA's Known Exploited Vulnerabilities (KEV) catalog is a curated list of CVEs confirmed to be exploited; if something is on KEV, it jumps the queue regardless of its EPSS score, because "confirmed exploited" beats "predicted likely." CVSS still tells you impact. A mature prioritization uses all three: KEV as a hard override, EPSS as the likelihood weighting, CVSS as the impact weighting, and your own asset context as the multiplier.

Wiring EPSS into your workflow

The practical goal is not to look up EPSS scores by hand but to have them attached to findings automatically. Modern vulnerability tooling enriches each CVE with its EPSS score and percentile so you can sort and filter your backlog by exploitation likelihood directly. Software composition analysis platforms that report on your open-source dependencies increasingly surface EPSS next to each finding for exactly this reason; an SCA tool that shows EPSS lets you prioritize the dependency upgrades that reduce real risk first. If you want to build a full prioritization policy that blends EPSS, KEV, and reachability, the Safeguard Academy walks through it, and our own take on triaging without a big team is in the CVE management guide for SMEs.

FAQ

What is an EPSS score in simple terms?

It is a probability from 0 to 1 that a specific vulnerability will be exploited in the wild within the next 30 days. A higher score means the vulnerability is more likely to be attacked soon.

How is EPSS different from CVSS?

CVSS measures how severe a vulnerability's impact would be if exploited. EPSS estimates how likely exploitation actually is. CVSS answers "how bad," EPSS answers "how probable." Used together they prioritize far better than either alone.

What is the difference between the EPSS score and percentile?

The score is the raw exploitation probability. The percentile ranks that score against all other CVEs, so a percentile of 0.95 means the vulnerability is more likely to be exploited than 95 percent of known CVEs. Because raw scores cluster low, the percentile is often the more useful comparator.

Can I ignore vulnerabilities with a low EPSS score?

Not automatically. A low score means low predicted near-term mass exploitation, but it does not account for targeted attacks or brand-new CVEs with little data yet. Combine EPSS with severity, the CISA KEV catalog, and whether the flaw is reachable in your environment before deciding.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.