Question 1

What Is EPSS?

Accepted Answer

EPSS is a machine learning model built by FIRST (Forum of Incident Response and Security Teams) that estimates the probability a CVE will be exploited within 30 days of public disclosure. The model's methodology and validation data are published in the EPSS research paper and the EPSS API documentation.

Output: a score from 0.0 to 1.0.

Unlike CVSS, which is static (a vulnerability published in 2015 has the same CVSS score today), EPSS evolves. The score changes as new threat intelligence arrives, exploit code is published, or malware incorporates the flaw.

A vulnerability might debut at EPSS 0.2 (unlikely to be exploited). Two weeks later, when a functional proof-of-concept is released, it spikes to EPSS 0.8 (probable exploitation). EPSS tracks this trajectory; CVSS doesn't move.

Question 2

How is EPSS different from CVSS?

Accepted Answer

CVSS describes severity, not likelihood. A CVSS 9.0 could have EPSS 0.01 if no one is exploiting it yet, and a mid-CVSS bug can sit at EPSS 0.95 because attackers have already weaponized it. EPSS tells you which vulnerabilities are actually being used in the wild, using real threat intelligence rather than theoretical impact. For even stronger signals, combine EPSS with CISA KEV to confirm active exploitation — CVSS describes what an exploit could do; EPSS tells you whether anyone is doing it.

Question 3

Should I stop fixing vulnerabilities with low EPSS scores?

Accepted Answer

Not stop — deprioritize. EPSS is a 30-day prediction, not a lifetime assessment. A CVSS 9.8 with EPSS 0.03 today could spike to 0.85 next week if a proof-of-concept is published. The right approach: patch low-EPSS findings in your normal cycle (not emergency), but set up alerts for EPSS trend changes. GeekWala's historical tracking surfaces the moment scores start rising, so you can catch the spike before it becomes a KEV entry.

Question 4

How often does EPSS update?

Accepted Answer

Continuously. FIRST.org retrains the model daily and publishes fresh scores every 24 hours, and a single CVE's score can shift multiple times as new threat intelligence arrives, proof-of-concept code is published, or malware is observed using the flaw. GeekWala fetches fresh EPSS scores on every scan, so the numbers you see reflect the latest model output rather than a stale snapshot.

Question 5

Can EPSS be weaponized against me?

Accepted Answer

Theoretically, threat actors could inflate EPSS by creating fake PoCs or coordinated intelligence reports. In practice, FIRST's model is robust to this — they validate evidence before it affects scores. Still, combine EPSS with human judgment and cross-reference with CISA KEV for high-stakes decisions, especially when a score moves suddenly without corroborating exploit activity.

Question 6

Should I automate patching based on EPSS?

Accepted Answer

Cautiously. Automatic patching for EPSS > 0.9 or CISA KEV entries is reasonable (truly emergency). For EPSS 0.7–0.9, require manual review first — regressions happen, and you want human eyes on emergency patches before they hit production.

Question 7

Where can I see EPSS percentiles for my dependencies?

Accepted Answer

When you scan your dependencies, each CVE displays both the raw EPSS score and its percentile ranking across all known CVEs. Percentiles help you understand relative risk — a score of 0.4 might sound moderate, but if it's in the 95th percentile, it is more dangerous than most.

---

Ready to see your vulnerabilities ranked by exploitation probability, not just severity?

Check your EPSS scores now → — upload a lock file and see every finding ranked by exploitation probability, not just CVSS. No account needed.

---

Once you understand EPSS, the next step is building it into your patch workflow. See Software Supply Chain Security Guide for a complete remediation framework.