# EPSS **slug:** `epss` · **URL:** `/knowledge/glossary/epss/` · **category:** Vulnerability Scoring · **reviewer:** Gleb ### Definition EPSS (Exploit Prediction Scoring System) is a probabilistic scoring system that estimates the likelihood a published vulnerability will be exploited in the wild within the next 30 days. Maintained by FIRST (Forum of Incident Response and Security Teams), it complements [CVSS](/knowledge/glossary/cvss/) by adding observed-exploitation context that CVSS alone does not capture. ### What it means EPSS produces a daily score between 0 and 1 for each [CVE](/knowledge/glossary/cve/), interpretable as a probability. A score of 0.95 means EPSS predicts a 95% chance the CVE will be exploited in the next 30 days; a score of 0.001 means the model considers exploitation in the next 30 days unlikely. The model is trained on real exploitation data sourced from security vendors, honeypots, and threat-intelligence feeds. EPSS is most useful for prioritizing patch backlog among CVEs that all have moderate-to-high CVSS scores. Because CVSS scores are static technical-impact ratings — and because most published CVEs are never exploited at scale — using EPSS to prioritize among CVSS-high vulnerabilities materially improves remediation efficiency for security teams operating large attack surfaces. For Melina reporting, EPSS percentile is provided alongside CVSS for each finding mapped to a published CVE. This gives the client a clear basis to prioritize remediation effort against external exploitation pressure. ### Related terms - [CVE](/knowledge/glossary/cve/) - [CVSS](/knowledge/glossary/cvss/) - [CWE](/knowledge/glossary/cwe/) ### Authoritative sources - [EPSS official site (FIRST)](https://www.first.org/epss/) - [EPSS data API](https://api.first.org/data/v1/epss) ---