Running short on time but still want to stay in the know? Well, we’ve got you covered! We’ve condensed all the key takeaways into a handy audio summary. Our AI-driven podcasts are fit for on the go. Click right here to hear it all!
Vulnerability management has traditionally relied on severity-based scoring models like CVSS, which assess impact but fail to predict real-world exploitation. The Exploit Prediction Scoring System (EPSS) shifts this approach by using machine learning to best ’guess’-timate the likelihood of exploitation within 30 days, helping security teams focus on active threats rather than just theoretical risk. However, I’m critical of the hype. Is EPSS truly superior, or does it have critical gaps? Let’s explore.
EPSS is a machine learning model trained on real-world exploitation data to estimate the probability of a given vulnerability being exploited within 30 days. I believe that this 30-day window is based on observed patterns, where a significant portion of exploits emerge within a month of public disclosure, making it a practical and actionable prediction timeframe.
To predict exploitation probability, EPSS collects a broad range of real-world data:
Data Source
CVE/NVD (National Vulnerability Database)
Exploit Intelligence (Metasploit, Exploit-DB,
GitHub)
Threat Intelligence Feeds (Fortinet,
GreyNoise, Shadowserver, AlienVault OTX)
CISA KEV (Known Exploited Vulnerabilities
Catalog)
Social Media Signals (Twitter, Dark Web
Monitoring)
Vulnerability Scanner Detections (Nuclei,
Jaeles, Snlper)
Data Source
Provides baseline vulnerability metadata.
Tracks the availability of proof-of-concept
(PoC) and weaponized exploit code.
Monitors active exploitation attempts in the
wild.
Flags vulnerabilities that are actively
exploited by adversaries.
Measures discussion volume and potential
attacker interest.
Identifies vulnerabilities actively scanned by
attackers.
Tracks Exploitation attempts in the wild using:
Monitors Attacker behavior patterns considering:
With these inputs accounted for, EPSS uses two machine learning models to predict which vulnerabilities are likely to be exploited in the next 30 days. They are as follows:
1. Logistic Regression (“Yes or No” model): works like a weather forecast for rain—it looks at known risk factors (e.g., public exploit code, attack complexity) and predicts whether a vulnerability will be exploited in the next 30 days (Yes or No).
2. XGBoost (“Smart Pattern Finder” model): works like Netflix recommendations— instead of just saying “Yes or No,” it analyzes thousands of past exploitation cases, finds deeper patterns (e.g., how often similar vulnerabilities were exploited), and fine-tunes the probability, just like Netflix recommends movies based on what others with similar tastes watched.
Remember, these are the critical inputs:
And what do you get? A Score. The higher the score, the greater likelihood of exploitation.
There’s a common misconception that EPSS is simply a “better” version of CVSS, but they serve different purposes and are not interchangeable. EPSS predicts which vulnerabilities are most likely to be exploited in the next 30 days, dynamically updating based on real-world attack data to help security teams focus on active threats rather than theoretical risks. Meanwhile, CVSS measures severity and impact, making it essential for regulatory compliance, contract enforcement, and risk assessments. However, EPSS ignores business risk and asset criticality, potentially deprioritizing vulnerabilities that could have catastrophic consequences if exploited, while CVSS lacks real-time exploitability data, often leading to over-prioritization of vulnerabilities that aren’t actively targeted. Used together, they provide a more complete—but still imperfect—approach to vulnerability management.
EPSS is a game-changer for real-time vulnerability prioritization, using machine learning and live threat intelligence to identify which vulnerabilities are actively exploited. It continuously updates based on honeypots, social media signals, IDS/IPS logs, and exploit databases, ensuring security teams focus on real threats rather than theoretical risks. However, EPSS does not measure severity, business impact, or security controls, assuming all vulnerabilities are equally exposed. A high-EPSS vulnerability in a well-protected system may pose minimal risk, while a low-EPSS vulnerability on an exposed critical asset could be a major threat—yet EPSS wouldn’t reflect this. Additionally, it cannot detect zero-day threats, as it relies on publicly available exploit data. While EPSS is essential for prioritizing active threats, it remains incomplete without business context, security posture, and intimate, risk-based assessment methodologies.
CVSS is the standard for measuring vulnerability severity and impact, providing a structured scoring system that helps organizations comply with regulatory frameworks and assess technical exploitability. Unlike EPSS, which focuses on likelihood of exploitation, CVSS quantifies how damaging an exploit could be, making it essential for understanding potential consequences. However, CVSS is static and does not reflect real-time threats—its Base Score remains unchanged even if a vulnerability is actively exploited, leading to over-prioritization of theoretical risks. A CVSS 9.8 vulnerability might never be attacked, while a CVSS 6.5 vulnerability under mass exploitation could be overlooked. CVSS 4.0 introduces Threat Metrics, but they require manual updates, leaving it better suited for compliance than real-time risk-based decision-making.
Despite their strengths, EPSS and CVSS both miss critical factors that SecOps teams need for real-world vulnerability management. By failing to account for business risk, security controls, attack chaining, and operational constraints, CVSS and EPSS leave security teams with an incomplete and often misleading picture of risk. This forces manual decision-making, leading to inefficient remediation, wasted resources, and increased threat exposure debt.
Practically, a high-EPSS vulnerability in a segmented network may pose little real risk, while a low-EPSS vulnerability on an exposed financial database could be a prime ransomware target—yet neither model reflects this. Similarly, CVSS remains static even when a vulnerability is actively exploited, meaning an actively targeted CVE might retain the same score it was assigned years ago. Without real-time updates, organizations risk prioritizing vulnerabilities based on outdated assumptions rather than real-world threats.
Even worse, attackers rarely exploit vulnerabilities in isolation—they chain multiple weaknesses together to bypass defenses and gain deeper access. Since neither CVSS nor EPSS models multi-step attack paths or adversary intent, security teams may patch the wrong vulnerabilities while leaving critical weaknesses open.
Longer dwell times for attackers, greater lateral movement opportunities, and a higher chance of significant breaches. Without an automated, real-time risk assessment framework that integrates exploitability, business impact, security controls, and evolving threat intelligence, SecOps teams will remain reactive—drowning in vulnerability lists without a clear sense of where to focus first.
EPSS and CVSS alone cannot provide the comprehensive risk-based prioritization that modern security teams need. To truly improve vulnerability management, organizations need a more comprehensive Threat Exposure Management (TEM) approach that integrates exploit likelihood (EPSS), severity impact (CVSS), real-time threat intelligence, security controls, and business risk into a single, automated decision-making framework.
Why EPSS and CVSS Fall Short: Neither system dynamically adjusts risk scores as an organization’s attack surface changes—new assets, cloud misconfigurations, and external exposure aren’t factored in.
Continuously monitors changes in the attack surface, ensuring vulnerabilities are reassessed as assets move between networks, gain exposure, or are decommissioned.
Why EPSS and CVSS Fall Short: Both systems fail to account for remediation complexity, patch feasibility, or operational risk, leading to blind patching strategies that may disrupt critical systems.
The future isn’t just EPSS or CVSS, in fact, it’s not even the two together. Not with so much missing. Instead, it’s Threat Exposure Management. We’re carrying it through with Uni5 Xposure. Are you ready to eliminate your threat exposure debt? Come talk to us.