EPSS, short for Exploit Prediction Scoring System, is a data-driven model that estimates the probability a specific software vulnerability will be exploited in the wild within the next 30 days. Maintained by FIRST.org — the same nonprofit that owns CVSS — EPSS assigns every published CVE a score between 0 and 1, which is usually read as a percentage from 0% to 100%, and recalculates that score daily as new exploit intelligence, dark-web chatter, and internet-scanning data come in. The current release, EPSS v4, went live on March 17, 2025, and draws on more than 1,600 variables per CVE, including references to Metasploit and ExploitDB modules, mentions on security mailing lists, and inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog. Security teams use EPSS to cut through CVSS-driven alert floods: with roughly 40,000 CVEs published in 2024 alone, EPSS gives a probability-based way to decide which handful of vulnerabilities actually need to be patched this week instead of shipped to a backlog.
What Does an EPSS Score of 0.36 Actually Mean?
An EPSS score of 0.36 means FIRST's model estimates a 36% chance the vulnerability will see exploitation attempts in the next 30 days, based on patterns observed across the broader threat landscape. That is not a guess about your specific environment — it is a population-level estimate calculated the same way for every organization, similar to how a weather model estimates a 36% chance of rain for a region rather than for one specific backyard. Scores are not evenly distributed: FIRST's own published data shows the vast majority of the roughly 240,000+ CVEs cataloged in the NVD carry EPSS scores well under 1%, while a small minority — often tied to remote code execution flaws in internet-facing software like VPNs, mail servers, or CMS platforms — spike above 0.90. Because EPSS updates daily, a CVE that scored 0.02 on a Monday can jump to 0.85 by Friday if a working exploit gets published on GitHub or added to a Metasploit module, which is why static, point-in-time risk reports go stale fast.
How Is EPSS Different From CVSS?
EPSS measures the likelihood a vulnerability will be exploited, while CVSS measures how severe the damage would be if it were. They answer two different questions, and conflating them is exactly how teams end up patching the wrong things first. A textbook example: CVE-2021-4034 (Polkit "PwnKit") carries a CVSS base score of 7.8 but sat at an EPSS score above 0.94 for extended periods because working exploit code was public within days — making it a near-certain target. Compare that to thousands of CVSS 9.8 "critical" findings in obscure, non-internet-facing libraries that have sat at an EPSS score below 0.05 for years because no one has ever bothered to weaponize them. FIRST has published research showing that patching everything rated CVSS 7+ means remediating tens of thousands of CVEs to catch a modest share of eventual real-world exploits, whereas a well-chosen EPSS threshold can catch a comparable share of exploited CVEs while shrinking the remediation list by an order of magnitude.
How Is the EPSS Score Calculated?
EPSS is calculated by a machine-learning model — specifically gradient-boosted decision trees in the current v4 architecture — trained on historical exploitation evidence pulled from over a dozen threat intelligence feeds. Data sources feeding the model include GreyNoise and Shodan scanning telemetry, AlienVault OTX and Fortinet FortiGuard threat feeds, exploit code repositories like ExploitDB and Metasploit, security mailing lists, and CISA's KEV catalog, which as of 2025 lists more than 1,300 CVEs with confirmed active exploitation. The model looks at each CVE's metadata — its CWE category, affected vendor and product, age since publication, and whether reference links point to proof-of-concept code — and outputs a probability, which FIRST republishes as a CSV/JSON feed via its public API every 24 hours. Because the model is retrained periodically on rolling windows of exploitation data rather than fixed rules, EPSS scores for older CVEs shift over time as attacker behavior shifts, which is different from CVSS scores that are set once at publication and rarely revised.
Why Did FIRST Release EPSS v4 in March 2025?
FIRST released EPSS v4 on March 17, 2025 because earlier versions, particularly v3 (released March 2023), struggled to score newly published CVEs that had no observed exploitation history yet. V4 expanded the training dataset, added new features such as more granular vendor/product signals and CWE weighting, and specifically improved "cold start" accuracy for CVEs in their first days of existence — a known blind spot, since roughly a quarter of exploitation activity historically occurred within two weeks of disclosure. FIRST's validation testing for v4 showed measurable gains in both precision (fewer false positives flagged as high-risk) and recall (fewer real exploited CVEs missed) compared to v3, which matters because underestimating a fast-moving CVE like a fresh Ivanti or Citrix remote-code-execution flaw can mean missing the patch window entirely before mass scanning begins.
How Many CVEs Actually Need Urgent Attention According to EPSS?
According to EPSS's own distribution data, only a small single-digit percentage of all published CVEs ever reach a high-confidence exploitation score, even though CVSS alone would flag roughly half of all CVEs as "high" or "critical" severity. Set against a base of over 240,000 CVEs tracked in the NVD and roughly 40,000 new ones published in 2024, treating every CVSS 7+ finding as equally urgent is operationally impossible for most security teams — yet CISA's KEV catalog, built from confirmed real-world attacks, holds just over 1,300 entries. That gap illustrates the core value of EPSS: it lets teams triage a sprawling backlog down to the few hundred or few thousand CVEs across their actual asset inventory that carry genuinely elevated exploitation probability, rather than treating a 15,000-line vulnerability report as a flat priority list. FIRST recommends pairing an EPSS threshold (commonly somewhere in the 0.1–0.5 range depending on risk appetite) with contextual factors like exposure and exploit availability rather than using either score in isolation.
How Safeguard Helps
EPSS is a strong signal, but it's a population-level average that says nothing about whether the vulnerable code path is actually reachable in your application, or whether the affected package even ships in your production build. Safeguard combines EPSS and CVSS data with reachability analysis to confirm whether vulnerable functions are actually called in your codebase, so a CVE with a 0.85 EPSS score in a dependency you never invoke doesn't consume triage time. Griffin, Safeguard's AI-driven analysis engine, layers exploit-likelihood data on top of your generated or ingested SBOMs to rank findings by real exploitability across your full software supply chain, not just isolated CVE lists. When a fix is available, Safeguard can open an auto-fix pull request directly against the affected manifest, turning an EPSS-informed prioritization decision into a merged remediation in the same workflow instead of a separate ticket.