FAQ

Yes, more and more organizations are using EPSS as a primary criterion for deciding which vulnerabilities to patch first, especially when faced with a large volume of vulnerabilities to address. Patching all CVEs with a high CVSS score can be costly and inefficient, especially if some are never exploited. EPSS therefore makes it possible to focus resources on truly dangerous vulnerabilities.

Some security policies now incorporate action thresholds based on EPSS, for example: “patch any vulnerability with an EPSS score > 0.7 within 48 hours”. This pragmatic approach accelerates remediation where it is most useful, while limiting unjustified interruptions.

No, EPSS does not replace CVSS: the two systems are complementary. CVSS provides a structural measure of severity, useful for understanding the potential impact of a vulnerability. EPSS, on the other hand, provides a behavioral and predictive measure, focused on the probability of actual exploitation.

Together, these two scores allow for a more refined risk assessment, both theoretically and operationally. Many companies adopt a hybrid approach, for example by only addressing vulnerabilities with both a CVSS ≥ 7 and an EPSS ≥ 0.5, or by using risk matrices enriched with these two indicators.

EPSS complements CVSS by adding a temporal and behavioral dimension to vulnerability assessment. CVSS measures the severity of a flaw based on its intrinsic properties (impact, complexity, accessibility), but says nothing about the actual probability of it being exploited. EPSS fills this gap by analyzing real-world data, such as exploitation trends observed in honeypots, vulnerability search engines, or threat feeds.

This complementarity is valuable for risk management: a flaw may be critical according to CVSS, but not exploited (low EPSS score), or conversely appear benign in theory, but be heavily used in automated attacks. Using both scores together allows for establishing more relevant priorities that align with real-world conditions.

For CISOs and SOC teams, EPSS offers objective and dynamic decision support. It allows filtering vulnerabilities detected by scanners based on their probability of exploitation, which reduces the workload of teams and improves the relevance of alerts. EPSS is particularly useful in environments where the volume of CVEs is high and resources are limited.

By integrating EPSS into vulnerability management tools, SIEMs, or security dashboards, CISOs can better communicate with management by prioritizing actions based on real and measurable risk, rather than a simple theoretical score.

EPSS scores are updated daily, reflecting the dynamic nature of threats and vulnerability exploitation. At any time, a change in the attack landscape (exploit publication, forum discussion, detection in honeypots) can cause the probability of a CVE being targeted to vary.

This frequent updating makes EPSS a more reactive tool than CVSS, whose scores rarely change once published. To take full advantage of EPSS, it is therefore recommended to integrate automated feeds or APIs to track scores continuously.

To determine if a CVE is actively exploited, several information sources can be consulted. The most reliable is the KEV (Known Exploited Vulnerabilities) database maintained by the CISA, which lists CVEs whose exploitation has been confirmed in the wild. It is updated regularly and often used to establish remediation priorities. This information is directly accessible on our website CVE Find.

You can also rely on the EPSS score, which estimates the probability of a CVE being exploited within 30 days of its publication, based on real data. Finally, threat intelligence tools, CERT reports, or vendor security bulletins can also indicate whether a vulnerability is currently being used by attackers.

EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE identifier) a probability of being exploited within 30 days of its observation.

The goal of EPSS is to complement other scoring systems (like CVSS) by adding a dynamic and contextual layer based on real-world exploitation data observed in the wild. This allows organizations to better prioritize their remediation efforts based on the actual risk of exploitation.

The EPSS model is developed and maintained by the FIRST (Forum of Incident Response and Security Teams) community, in collaboration with researchers, data analysts, and cybersecurity professionals. It is an open and collaborative project, with publicly documented methods and regularly updated results.

This model is based on massive statistical data and machine learning techniques. It is designed to be transparent, reproducible, and freely accessible, making it a reliable tool suitable for the operational needs of security teams, even outside the American or governmental scope.