FAQ

Yes, more and more organizations are using EPSS as a primary criterion for deciding which vulnerabilities to patch first, especially when faced with a large volume of vulnerabilities to address. Patching all CVEs with a high CVSS score can be costly and inefficient, especially if some are never exploited. EPSS therefore makes it possible to focus resources on truly dangerous vulnerabilities.

Some security policies now incorporate action thresholds based on EPSS, for example: “patch any vulnerability with an EPSS score > 0.7 within 48 hours”. This pragmatic approach accelerates remediation where it is most useful, while limiting unjustified interruptions.

CWEs are abstract patterns of weaknesses, whereas CVEs are concrete incidents. A CVE represents an identified vulnerability in a specific software or system, while a CWE describes a generic weakness present in the code or architecture, without necessarily being exploited.

For example, a CVE might concern an SQL injection in a web application, while the corresponding CWE would be CWE-89: Improper Neutralization of Special Elements used in an SQL Command. In summary, CWEs are used to categorize and analyze vulnerabilities, while CVEs allow you to track and fix them individually.

Exploiting a zero-day vulnerability relies on developing a specific exploit, meaning code or a method capable of leveraging the flaw before it is patched. The attacker can integrate it into a booby-trapped document, a website, malware, or a phishing email.

Once the exploit is launched, it can allow the attacker to take control of the system, install a Trojan horse, open a backdoor, or extract data. The particularity of a zero-day exploit is that it evades traditional detection mechanisms because it relies on a weakness that is still unknown to everyone.

EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE identifier) a probability of being exploited within 30 days of its observation.

The goal of EPSS is to complement other scoring systems (like CVSS) by adding a dynamic and contextual layer based on real-world exploitation data observed in the wild. This allows organizations to better prioritize their remediation efforts based on the actual risk of exploitation.

CAPEC and CWE are two complementary databases maintained by MITRE, but they do not have the same objective. CWE describes technical weaknesses in code or design (e.g., lack of input validation), while CAPEC describes attack methods that exploit these weaknesses (e.g., SQL injection).

In other words, CWE focuses on the cause, while CAPEC focuses on the attacker's action. The two can be linked: a CAPEC pattern often specifies which CWEs it targets, making it possible to link the theoretical vulnerability, the practical exploitation, and the associated CVEs.

A CVE (Common Vulnerabilities and Exposures) is a security flaw that has already been identified, documented, and published in an official database. It is known to the public, and generally, patches are in progress or already available. In contrast, a zero-day is a flaw that has not yet been disclosed, and therefore not recorded in a CVE at the time of its discovery.

In other words, any zero-day can become a CVE, but not all CVEs are zero-days. The major risk of a zero-day is precisely that it can be exploited before it is even reported, whereas a CVE is by definition a vulnerability in the process of being addressed or corrected.

A CVE is simply a public declaration that a flaw exists in a given product, while an exploited vulnerability means that an attacker is actively using this flaw to compromise systems. In other words, not all CVEs are exploited in real-world conditions: some may remain theoretical or technical.

Conversely, a vulnerability can be exploited without yet having received a CVE - this is what is called a zero-day. To assess the real danger of a CVE, it is necessary to consult additional information such as the CISA's KEV data or the EPSS score, which indicate whether the flaw is actively used in cyberattacks. This information is available directly from our website CVE Find.

The CWE classification serves to standardize the understanding of security weaknesses in computer systems. It helps developers, testers, and analysts identify common design or coding errors, in order to avoid or correct them more effectively. Thanks to this taxonomy, security tools can produce consistent and actionable reports.

It is also very useful for training technical teams, evaluating detection tools, prioritizing risks, and complying with certain standards such as ISO/IEC 27001. By integrating CWEs into development processes, security can be significantly improved from the design phase.

Cybersecurity professionals are the primary users of CAPECs: SOC analysts, penetration testing experts, security architects, developers, trainers, or threat intelligence teams. They use them to understand adversary tactics, prepare test scenarios, and strengthen defenses.

For example, a pentester can use a CAPEC to structure a simulated attack according to a realistic scenario. A developer can find guidance on design flaws to avoid. A CISO can integrate them into risk analyses to better illustrate the potential consequences of a technical weakness.

CVEs play a central role in vulnerability management. They provide a common language for all cybersecurity stakeholders to track and document vulnerabilities, which allows for prioritizing patches, automating analyses, and structuring security monitoring. Without CVEs, each vendor or researcher could describe a vulnerability differently, making coordination complex.

They are also used by vulnerability scanning tools, SIEMs, SOCs, and CISOs to establish incident response policies. Their global adoption ensures that vulnerabilities are identifiable and that defenses can be activated more quickly and in a coordinated manner.

The KEV (Known Exploited Vulnerabilities) list published by CISA identifies vulnerabilities that are actively exploited in the wild, meaning they are already being used in real-world cyberattacks. The purpose of this list is to help organizations prioritize their remediation efforts by focusing on vulnerabilities that pose an immediate threat.

By publishing this list, CISA provides a very practical risk management tool: it identifies not only known vulnerabilities, but also the most critical and urgent ones. For U.S. federal agencies, patching these vulnerabilities is mandatory within strict deadlines. But beyond the United States, the KEV is widely consulted by cybersecurity professionals worldwide to guide their patch management strategy.

Zero-day vulnerabilities are particularly dangerous because they are unknown to vendors, users, and often traditional security solutions (antivirus, IDS, etc.). This means that there is no fix, no patch, and often no detection or protection mechanism at the time of the attack.

Attackers can therefore exploit them without being detected, often as part of targeted and sophisticated attacks (cyber espionage, sabotage, prolonged access to a system). Their value is so high that some zero-days are resold on the dark web or to government actors for hundreds of thousands of euros.