A CVSS 9.8 vulnerability sits unpatched for three months. No one seems worried.
A CVSS 3.1 vulnerability is patched within 48 hours. Teams drop everything.
CVSS didn't warn you about the difference. EPSS would have.
EPSS (Exploit Prediction Scoring System) answers a question CVSS can't: Will this vulnerability actually be exploited in the next 30 days? It's the difference between theoretical risk and practical threat. Between "this is severe if exploited" and "threat actors are exploiting this right now."
For teams managing hundreds of vulnerabilities, EPSS tells you which 3 out of 50 findings deserve your attention today.
TL;DR: EPSS is a daily-updated machine learning score (0.0–1.0) that predicts the probability a CVE will be exploited in the next 30 days. About 85% of CVEs score below 0.1 — meaning most alerts are noise. The ~4% scoring above 0.5 are where your team's energy belongs. Combined with CISA KEV, EPSS lets you cut alert fatigue and patch the vulnerabilities that will actually hurt you.
What We'll Cover
- What EPSS is and how it works
- How the ML model trains on real threat intelligence
- Where most CVEs actually land (the EPSS distribution)
- EPSS vs CVSS: the key differences
- 2D framework: CVSS × EPSS matrix
- Triage workflow using EPSS scores
- Log4Shell case study: EPSS in real time
- Limitations and what EPSS can't do
- EPSS across ecosystems (npm, Python, Java, Go, .NET, Rust)
What Is EPSS?
EPSS is a machine learning model built by FIRST (Forum of Incident Response and Security Teams) that estimates the probability a CVE will be exploited within 30 days of public disclosure. The model's methodology and validation data are published in the EPSS research paper and the EPSS API documentation.
Output: a score from 0.0 to 1.0.
EPSS 0.0 = 0% chance of exploitation
EPSS 0.5 = 50% chance of exploitation
EPSS 0.95 = 95% chance of exploitation
Unlike CVSS, which is static (a vulnerability published in 2015 has the same CVSS score today), EPSS evolves. The score changes as new threat intelligence arrives, exploit code is published, or malware incorporates the flaw.
A vulnerability might debut at EPSS 0.2 (unlikely to be exploited). Two weeks later, when a functional proof-of-concept is released, it spikes to EPSS 0.8 (probable exploitation). EPSS tracks this trajectory; CVSS doesn't move.
How EPSS Works: Machine Learning on Threat Intelligence
FIRST's model ingests data from multiple streams and retrains continuously:
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ Vulnerability │ │ Threat Intel │ │ Historical │
│ Metadata │ │ Feeds │ │ Patterns │
│ │ │ │ │ │
│ • CVSS metrics │ │ • Exploit-DB │ │ • Similar CVEs │
│ • Vuln type (RCE, │ │ • GitHub PoCs │ │ • Time-to-weapon │
│ auth bypass...) │ │ • Metasploit │ │ • Ecosystem │
│ • Days since │ │ • Malware feeds │ │ adoption rates │
│ disclosure │ │ • Threat reports │ │ • Attack surface │
│ • Affected │ │ • Dark web │ │ exposure │
│ ecosystem │ │ mentions │ │ │
└────────┬─────────┘ └────────┬─────────┘ └────────┬─────────┘
│ │ │
└──────────────┬───────┴───────────────────────┘
▼
┌──────────────────┐
│ FIRST.org ML │
│ Model (daily │
│ retraining) │
└────────┬─────────┘
▼
┌──────────────────┐
│ EPSS Score: 0.0 │
│ to 1.0 per CVE │
│ (updates daily) │
└──────────────────┘
The key detail: EPSS retrains daily, not monthly or quarterly. A vulnerability's score can shift dramatically when a new PoC is published or malware adopts the flaw. This makes EPSS tactical — useful for "what should we patch this week?" rather than "what's our annual risk posture?"
Where Most CVEs Actually Land: The EPSS Distribution
One of the most striking things about EPSS is how concentrated the scores are at the low end:
EPSS Score Distribution — All Published CVEs
Score range Approx. % of CVEs What it means
──────────────────────────────────────────────────────────────────
0.00–0.01 ████████████████████████████████████ ~65% Virtually no exploitation activity
0.01–0.05 ██████████████ ~20% Low background noise
0.05–0.10 █████ ~7% Worth monitoring if CVSS is high
0.10–0.30 ██ ~4% Elevated — review for your context
0.30–0.70 █ ~2% High — patch within sprint
0.70–1.00 ▌ ~2% Critical — patch immediately
──────────────────────────────────────────────────────────────────
↑ 93% of CVEs live here ↑ 4% here
Safely deprioritized Must act
Roughly 85% of all CVEs have EPSS below 0.1. Only about 2% have EPSS above 0.7. This is why EPSS is so powerful for cutting through alert fatigue — it tells you that the overwhelming majority of vulnerabilities, regardless of their CVSS score, are unlikely to be exploited in the near term. The ~4% above 0.5 are where you should focus your team's energy.
Want to see EPSS scores for your own dependencies?
Scan your dependencies → — every CVE in your results includes its EPSS score so you can instantly see which vulnerabilities fall in that critical top 4%. No account needed.
The EPSS vs CVSS Picture
Here's the cognitive dissonance that makes EPSS valuable:
CVSS 9.8 EPSS 0.02
┌─────────────────┐
│ Devastating flaw│
│ No one's │
│ exploiting it │
│ yet │
└─────────────────┘
↓ vs ↓
CVSS 4.1 EPSS 0.88
┌─────────────────┐
│ Minor flaw │
│ Threat actors │
│ are weaponizing │
│ it right now │
└─────────────────┘
CVSS makes the first seem more urgent. EPSS makes the second more urgent. Reality agrees with EPSS.
| Scenario | CVSS | EPSS | What It Means | Action |
|---|---|---|---|---|
| Fresh RCE, no one exploiting yet | 9.2 | 0.03 | High-impact flaw, low current threat | Patch in normal cycle, monitor for EPSS spike |
| Weaponized auth bypass | 5.1 | 0.71 | Low-impact flaw, active exploitation | Patch immediately, this is urgent |
| Severe + actively exploited | 8.9 | 0.64 | Both dimensions are dangerous | Patch urgently |
| Neither severe nor exploited | 3.2 | 0.01 | Noise | Address during routine maintenance |
Organizations using only CVSS waste enormous effort on the first category while missing the second.
A Visual Framework: CVSS vs EPSS in 2D
The four quadrants below show exactly where each vulnerability type falls — and what you should do about it:
CVSS Score (Theoretical Severity)
Low (0–5) High (6–10)
┌─────────────────┬──────────────────────┐
High │ PRIORITY ZONE │ CRISIS ZONE │
EPSS 0.5+ │ │ │
(Active │ High exploit │ High severity + │
exploit │ probability, │ active exploitation. │
likeli- │ low severity. │ Emergency patch. │
hood) │ Don't ignore. │ 24-hour SLA. │
├─────────────────┼──────────────────────┤
Low │ NOISE ZONE │ MONITORING ZONE │
0.5- │ │ │
│ Low severity, │ Looks scary (high │
│ nobody's │ CVSS) but nobody │
│ exploiting. │ is exploiting yet. │
│ Safe to skip. │ Patch next quarter. │
└─────────────────┴──────────────────────┘
Most basic scanners only show you the horizontal axis (CVSS).
EPSS adds the vertical axis — exploitation probability.
The top-right quadrant (high CVSS + high EPSS) is your crisis zone. The top-left (high EPSS + low CVSS) is your priority zone — this is where EPSS saves you from missing real threats. The bottom-right (low EPSS + high CVSS) is your monitoring zone — high severity, but nobody is exploiting it yet. The bottom-left is noise.
npm audit, Snyk without EPSS context, and most basic scanners can only show you the horizontal axis (CVSS). You're flying blind on the vertical axis (likelihood of exploitation).
Triage Workflow: Using EPSS to Actually Prioritize
Here's a framework that works:
EPSS > 0.9 or CISA KEV entry → Patch in 24 hours
- Actively weaponized, immediate threat
- Drop whatever you're doing
EPSS 0.7–0.9 → Patch within 1 week
- High exploitation probability
- Will likely be exploited if not patched
EPSS 0.5–0.7 → Patch within 2 weeks
- Above-average exploitation risk
- Include in your normal patch cycle
EPSS 0.2–0.5 → Patch within 30 days
- Below-average but not negligible
- Include in monthly maintenance
EPSS < 0.2 → Patch in routine maintenance (quarterly)
- Rarely exploited vulnerabilities
- Standard lifecycle management
Notice CVSS is completely absent. That's by design. CVSS is a tiebreaker when two vulnerabilities have the same EPSS.
EPSS Percentiles: Relative Risk
FIRST publishes percentiles with EPSS scores. For context:
- 90th percentile or higher: In the top 10% for exploitation likelihood. Rare. Treat as urgent.
- 70th–90th percentile: Well above average. Real threat.
- 50th–70th percentile: Average to above-average. Include in normal cycle.
- 30th–50th percentile: Below average. Don't panic, just patch regularly.
- Below 30th percentile: Unlikely to be exploited. Address during maintenance.
A vulnerability at 90th percentile is dramatically more likely to be exploited than one at 50th, even if the raw scores (0.85 vs 0.45) don't immediately signal that massive gap.
Real Example: EPSS Evolution Over Time
Timeline: Apache Log4j CVE-2021-44228
2021-12-09 (Disclosure)
EPSS: 0.20
Thought: "This is concerning but not emergency"
Threat: Unknown PoC leaked
2021-12-10 (12 hours later)
EPSS: 0.67
Thought: "OK, this is real"
Threat: Public PoC published on GitHub
2021-12-11 (24 hours)
EPSS: 0.95
Thought: "PATCH NOW"
Threat: Malware actively exploiting in the wild
Timeline shows the value of continuous EPSS monitoring.
Teams using CVSS alone would've missed the escalation
until they read it on the news.
With GeekWala, you'd see the EPSS spike days before the news coverage, allowing your team to prepare rather than react. This is also where CISA KEV comes in—as confirmation that exploitation is happening.
EPSS Limitations: What It Can't Do
EPSS is a powerful tool with hard limits:
30-day prediction window only: EPSS 0.05 doesn't mean "ignore forever." It means "unlikely in the next month." Year-old vulnerabilities with EPSS 0.02 might still deserve patching.
Trained on historical data: Novel vulnerability types or zero-days might not be well-predicted. Expert analysis still matters.
Doesn't know your code: A vulnerability with EPSS 0.8 is irrelevant if your application never calls the affected function. Conversely, EPSS 0.1 matters if you have a custom integration that triggers the flaw.
Doesn't account for your controls: A WAF rule, network segmentation, or authentication layer can neutralize high-EPSS vulnerabilities. EPSS is relative risk; your environment's defenses matter too.
Not a compliance tool: Compliance frameworks (PCI-DSS, HIPAA) often mandate "patch all CVSS 7.0+" regardless of EPSS. Use EPSS to optimize within those constraints, not to bypass them.
EPSS Across Ecosystems
EPSS applies universally, but each ecosystem has its own scanning tools and vulnerability databases. Here's how EPSS fits into each:
- npm:
npm auditonly shows CVSS severity — see how EPSS changes npm vulnerability prioritization - Python/PyPI: Fragmented advisory databases make EPSS especially valuable — Python dependency scanning guide
- Java/Maven: Enterprise teams with 200+ transitive dependencies need EPSS to cut through noise — Java vulnerability scanning guide
- Go:
govulncheckhandles local scanning well, but misses exploitation signals — Go module security guide - .NET/NuGet:
dotnet auditlacks exploitation context — NuGet vulnerability scanning guide - Rust/crates.io:
cargo audit+ RustSec is strong, butunsafecode changes EPSS priority — Rust dependency security guide
In every ecosystem, the pattern is the same: native tools show you what's vulnerable, EPSS tells you what's being exploited.
Quick Reference Card
┌────────────────────────────────────┐
│ EPSS Quick Prioritization │
├────────────────────────────────────┤
│ > 0.9 → PATCH NOW (24h) │
│ 0.7–0.9 → Patch this week │
│ 0.5–0.7 → Patch in 2 weeks │
│ 0.2–0.5 → Patch in 30 days │
│ < 0.2 → Routine maintenance │
│ │
│ OR CISA KEV entry → PATCH NOW │
└────────────────────────────────────┘
Frequently Asked Questions
Why use EPSS instead of just CVSS?
CVSS describes severity, not likelihood. A CVSS 9.0 could have EPSS 0.01 if no one's exploiting it yet. EPSS tells you which vulnerabilities are actually being weaponized. For even stronger signals, combine EPSS with CISA KEV to confirm active exploitation. You need both, but EPSS drives tactical prioritization.
How often does EPSS change?
Continuously. A vulnerability's EPSS can shift multiple times per day as new threat intelligence arrives, PoC code is published, or malware is discovered using the flaw. GeekWala fetches fresh EPSS scores on every scan.
Can EPSS be weaponized against me?
Theoretically, threat actors could inflate EPSS by creating fake PoCs or coordinated intelligence reports. In practice, FIRST's model is robust to this. They validate evidence before it affects scores. Still, combine EPSS with human judgment.
What if a vulnerability has high CVSS but low EPSS — can I ignore it?
Not ignore — deprioritize. EPSS is a 30-day prediction, not a lifetime assessment. A CVSS 9.8 with EPSS 0.03 today could spike to 0.85 next week if a PoC is published. The right approach: patch it in your normal cycle (not emergency), but set up alerts for EPSS trend changes. GeekWala's historical tracking shows you when scores are rising, so you can catch the spike before it becomes a KEV entry.
Should I automate patching based on EPSS?
Cautiously. Automatic patching for EPSS > 0.9 or CISA KEV entries is reasonable (truly emergency). For EPSS 0.7–0.9, require manual review first — regressions happen, and you want human eyes on emergency patches.
Where can I see EPSS percentiles for my dependencies?
When you scan your dependencies, each CVE displays both the raw EPSS score and its percentile ranking across all known CVEs. Percentiles help you understand relative risk — a score of 0.4 might sound moderate, but if it's in the 95th percentile, it's more dangerous than most.
Ready to see your vulnerabilities ranked by exploitation probability, not just severity?
Check your EPSS scores now → — upload a lock file and see every finding ranked by exploitation probability, not just CVSS. No account needed.
