Question 1

Does CVSS predict exploitation?

Accepted Answer

No. CVSS describes blast radius — how bad a vulnerability could be if exploited — based on static technical characteristics (attack vector, attack complexity, impact on confidentiality/integrity/availability). It says nothing about whether anyone will actually exploit it. A 2015 CVE still reads CVSS 9.8 today regardless of whether it has been weaponized, ignored, or forgotten. If you need an answer to "will this be exploited?", you need EPSS — see What is EPSS? for how the model actually derives that probability.

Question 2

Can I use EPSS without CVSS?

Accepted Answer

Operationally yes — EPSS alone will correctly prioritize the vulnerabilities most likely to be exploited, and research by the FIRST EPSS team shows it outperforms CVSS-only prioritization at catching real exploitation. But you lose the impact signal: a CVE with EPSS 0.9 on a developer workstation is a different risk than the same CVE on an internet-facing payment service. Keep CVSS for blast-radius framing, compliance reporting, and risk-appetite conversations with leadership; use EPSS to decide which ones to actually fix this week.

Question 3

How do I combine CVSS severity with EPSS probability?

Accepted Answer

Triage by a 3-signal rule: CISA KEV → ship the fix today; EPSS ≥ 0.1 with a CVSS ≥ 7.0 and a reachable attack path → ship this week; CVSS-only critical in runtime code → schedule in the next sprint; everything else → normal patch cadence. The 3-Signal Triage Method walks through this in detail and shows how to turn both scores plus KEV membership into a single ordered queue your team can burn down.

Question 4

Is EPSS replacing CVSS?

Accepted Answer

No. EPSS complements CVSS — it doesn't replace it. CVSS remains important for compliance, blast radius assessment, and communication. EPSS adds the exploitation dimension that CVSS was never designed to provide.

Question 5

Can a vulnerability have high EPSS and low CVSS?

Accepted Answer

Yes, and it's more common than you'd expect. Authentication bypasses, SSRF, and path traversal flaws often score CVSS 4–6 (moderate impact) but attract high exploitation activity because they're easy to weaponize. Don't let a moderate CVSS score lull you into ignoring a high EPSS score.

Question 6

Which score should I show my CISO?

Accepted Answer

Both, but frame them differently. CVSS answers "what's the worst case?" — useful for risk appetite discussions. EPSS answers "what's likely to happen?" — useful for resource allocation. The 3-Signal Triage Method gives you a framework to present both in context.

Question 7

How accurate is EPSS compared to CVSS?

Accepted Answer

Research by the FIRST EPSS team (Jacobs et al.) shows that EPSS-based prioritization catches more actually-exploited vulnerabilities while generating fewer false positives than CVSS-based prioritization. In their analysis, only about 6% of CVEs are ever exploited, and EPSS is significantly better at identifying which 6%.

---

See both scores for your dependencies — sorted by what matters.

Scan your dependencies now → — every finding shows CVSS severity alongside EPSS exploitation probability and CISA KEV status. No more guessing which "Critical" findings actually need emergency action. No account needed.