EPSS (Exploit Prediction Scoring System)

The Exploit Prediction Scoring System (EPSS) is a data-driven model, maintained by the FIRST.org SIG, that estimates the probability a given software vulnerability (identified by its CVE) will be exploited in the wild within the next 30 days. Each CVE gets two numbers: an EPSS score (a probability from 0 to 1, often shown as a percentage) and an EPSS percentile (how that CVE ranks against all others). Unlike CVSS, which measures how severe a flaw could be in theory, EPSS measures how likely it is to actually be attacked.

Why it matters

Most organizations cannot patch everything at once. CVSS alone is a poor prioritization signal because the large majority of high-CVSS CVEs are never exploited, while a small fraction of lower-scoring ones get weaponized quickly. EPSS narrows the field: combining a high EPSS score with real exposure lets teams focus remediation on the vulnerabilities most likely to be used against them. It pairs well with the CISA KEV catalog (known exploited vulns) and with severity to form a defensible patch order. See our guide on how to prioritize vulnerabilities for the full workflow.

How it works

EPSS is a machine-learning model trained on observed exploitation activity. It ingests signals such as CVE age, vendor and product, references to public exploit code, mentions in security feeds, CVSS components, and whether a proof-of-concept exists. The model outputs a daily-refreshed probability, so a CVE's score rises when exploit code is published or chatter increases, and decays over time if no exploitation materializes. Scores are free and queryable via the FIRST.org API.

Reading the two numbers

• Score — e.g. 0.92 means roughly a 92% modeled chance of exploitation in 30 days.
• Percentile — e.g. 0.998 means the CVE is more exploit-likely than 99.8% of all CVEs.

A concrete example

Suppose a scan flags two CVEs on your public web stack. CVE-A has CVSS 9.8 but EPSS 0.01 (1st percentile). CVE-B has CVSS 7.5 but EPSS 0.94 (99th percentile) because a Metasploit module shipped last week. Severity alone would push you toward CVE-A, but EPSS shows CVE-B is the one attackers are actively using. You patch CVE-B first.

How it appears on your external attack surface

EPSS only becomes actionable once a vulnerability is mapped to a real, reachable asset. A CVE with a 0.95 EPSS score on an internal-only host is a different risk than the same CVE on an internet-facing service. External attack surface management exists to close that gap — see what external attack surface management is — by confirming which CVEs sit on assets an attacker can actually touch.

How FortWatch helps

FortWatch's vulnerability scanning uses Nuclei to detect CVEs on your public-facing assets, then enriches each finding with severity context and AI-generated remediation guidance. Because we only report vulnerabilities on assets that are externally reachable, EPSS-style prioritization is grounded in genuine exposure rather than a raw CVE list — letting you fix what is both exploitable and exposed first.