FAQ

No, EPSS does not replace CVSS: the two systems are complementary. CVSS provides a structural measurement of severity, useful for understanding the potential impact of a vulnerability. EPSS, on the other hand, provides a behavioral and predictive measurement, focused on the actual likelihood of exploitation.

Together, these two scores allow for a more accurate risk assessment, both theoretical and operational. Many companies adopt a hybrid approach, for example by only addressing vulnerabilities that have both a CVSS ≥ 7 and an EPSS ≥ 0.5, or by using risk matrices enriched with both indicators.

Yes, more and more organizations use EPSS as a priority criterion to decide which vulnerabilities to fix first, especially when dealing with a large volume of issues. Fixing all CVEs with a high CVSS score can be costly and inefficient, especially if some are never exploited. EPSS helps focus resources on truly dangerous vulnerabilities.

Some security policies now include EPSS-based thresholds, such as: “fix any vulnerability with an EPSS score > 0.7 within 48 hours.” This pragmatic approach accelerates remediation where it is most useful, while limiting unnecessary interruptions.

EPSS scores are updated daily, reflecting the dynamic nature of threats and vulnerability exploitation. At any time, changes in the threat landscape (exploit releases, forum discussions, honeypot detections) can alter the likelihood of a CVE being targeted.

This frequent updating makes EPSS a more responsive tool than CVSS, whose scores rarely change once published. To fully benefit from EPSS, it is recommended to integrate automated feeds or APIs to continuously track scores.

The EPSS model is developed and maintained by the FIRST (Forum of Incident Response and Security Teams) community, in collaboration with researchers, data analysts, and cybersecurity professionals. It is an open and collaborative project, with publicly documented methods and regularly updated results.

This model relies on large-scale statistical data and machine learning techniques. It is designed to be transparent, reproducible, and freely accessible, making it a reliable and practical tool for security teams worldwide.

EPSS complements CVSS by adding a temporal and behavioral dimension to vulnerability assessment. CVSS measures the severity of a flaw based on intrinsic properties (impact, complexity, accessibility), but says nothing about the actual likelihood of exploitation. EPSS fills this gap by analyzing real-world data, such as trends observed in honeypots, vulnerability search engines, or threat intelligence feeds.

This complementarity is valuable for risk management: a flaw may be critical according to CVSS but unexploited (low EPSS), or appear mild in theory but widely used in automated attacks. Using both scores together helps define more relevant and grounded priorities.

EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE) a likelihood of being exploited within 30 days of observation.

The purpose of EPSS is to complement other evaluation systems (such as CVSS) by adding a dynamic and contextual layer based on real-world exploitation data. This helps organizations better prioritize their remediation efforts according to actual risk.