FAQ

EPSS complements CVSS by adding a temporal and behavioral dimension to vulnerability assessment. CVSS measures the severity of a flaw based on its intrinsic properties (impact, complexity, accessibility), but says nothing about the actual probability of it being exploited. EPSS fills this gap by analyzing real-world data, such as exploitation trends observed in honeypots, vulnerability search engines, or threat feeds.

This complementarity is valuable for risk management: a flaw may be critical according to CVSS, but not exploited (low EPSS score), or conversely appear benign in theory, but be heavily used in automated attacks. Using both scores together allows for establishing more relevant priorities that align with real-world conditions.

For CISOs and SOC teams, EPSS offers objective and dynamic decision support. It allows filtering vulnerabilities detected by scanners based on their probability of exploitation, which reduces the workload of teams and improves the relevance of alerts. EPSS is particularly useful in environments where the volume of CVEs is high and resources are limited.

By integrating EPSS into vulnerability management tools, SIEMs, or security dashboards, CISOs can better communicate with management by prioritizing actions based on real and measurable risk, rather than a simple theoretical score.

EPSS scores are updated daily, reflecting the dynamic nature of threats and vulnerability exploitation. At any time, a change in the attack landscape (exploit publication, forum discussion, detection in honeypots) can cause the probability of a CVE being targeted to vary.

This frequent updating makes EPSS a more reactive tool than CVSS, whose scores rarely change once published. To take full advantage of EPSS, it is therefore recommended to integrate automated feeds or APIs to track scores continuously.

The EPSS model is developed and maintained by the FIRST (Forum of Incident Response and Security Teams) community, in collaboration with researchers, data analysts, and cybersecurity professionals. It is an open and collaborative project, with publicly documented methods and regularly updated results.

This model is based on massive statistical data and machine learning techniques. It is designed to be transparent, reproducible, and freely accessible, making it a reliable tool suitable for the operational needs of security teams, even outside the American or governmental scope.