PentaTrail Logo
CTEM & Threat Intelligence#CTEM#Vulnerability Management#Risk Assessment

What is EPSS? Prioritizing Vulnerabilities by Exploitation Probability

PentaTrail Team··5 min read
Table of Contents

What is EPSS?

EPSS (Exploit Prediction Scoring System) is a scoring system provided by FIRST that estimates the probability that a CVE will be exploited in the wild within the next 30 days, on a scale of 0 to 1 (0% to 100%).

While CVSS measures a vulnerability's "technical severity," EPSS measures "how likely it is to actually be used in an attack." This distinction is transformative for vulnerability management.

Why EPSS Matters

The Vulnerability Explosion

Over 29,000 new CVEs were published in 2023, with numbers continuing to rise. Addressing every one is physically impossible.

CVSS Alone Falls Short

Among vulnerabilities rated Critical by CVSS (9.0+), fewer than 5% are actually exploited. Conversely, some Medium-rated vulnerabilities are actively used in large-scale attack campaigns.

Resource Optimization

Security team resources are finite. EPSS enables teams to focus on vulnerabilities with the highest probability of real-world exploitation.

How EPSS Works

EPSS uses machine learning models that consider:

Input Data

  • Vulnerability characteristics: CVSS vectors, CWE types, affected products
  • Exploit information: Presence in Exploit-DB, Metasploit, etc.
  • Threat intelligence: Dark web mentions, inclusion in attack toolkits
  • Temporal factors: Days since vulnerability publication

Score Properties

  • Updated daily: Recalculated based on new threat intelligence
  • Probability value: 0.0 (won't be exploited) to 1.0 (certainly exploited)
  • Percentile ranking: Relative position among all CVEs

Reading EPSS Scores

EPSS Score Percentile Action
0.9+ Top 0.1% Immediate response (exploitation near-certain)
0.5-0.9 Top 1% Urgent response
0.1-0.5 Top 5% Early remediation recommended
0.01-0.1 Top 20% Planned remediation
Below 0.01 Bottom 80% Risk-based decision

Combining CVSS and EPSS

Using CVSS and EPSS as two axes creates four quadrants:

High CVSS x High EPSS → Top Priority

Technically severe and likely to be exploited. Requires immediate action.

High CVSS x Low EPSS → Planned Response

Severe but unlikely to be exploited. Address in regular patch cycles.

Low CVSS x High EPSS → Watch Closely

Low severity but actively targeted by attackers. Could serve as an initial foothold.

Low CVSS x Low EPSS → Monitor

Low risk at present. Reassess periodically.

EPSS in PentaTrail

PentaTrail/CTEM shows both CVSS and EPSS scores for discovered vulnerabilities and combines them into the Threat Discovery Level (TDL). The result is then adjusted by the KEV boost and the BI Score to land in a TER band, so security teams can instantly see what truly requires action right now.

To try EPSS-based prioritization on PentaTrail, Start Your 14-Day Free Trial.

Visualize your attack surface with PentaTrail/CTEM

From discovery to vulnerability validation and remediation — all powered by the CTEM framework.

Get Started

Related Articles

What is Threat Discovery Level (TDL)? — Vulnerability Ranking from CVSS × EPSS

Understanding CVSS Scores — And Their Limitations

What is a Business Impact (BI) Score?

← Back to Blog