EPSS

Definition

EPSS (Exploit Prediction Scoring System) is a probabilistic scoring system that estimates the likelihood a published vulnerability will be exploited in the wild within the next 30 days. Maintained by FIRST (Forum of Incident Response and Security Teams), it complements CVSS by adding observed-exploitation context that CVSS alone does not capture.

What it means

EPSS produces a daily score between 0 and 1 for each CVE, interpretable as a probability. A score of 0.95 means EPSS predicts a 95% chance the CVE will be exploited in the next 30 days; a score of 0.001 means the model considers exploitation in the next 30 days unlikely. The model is trained on real exploitation data sourced from security vendors, honeypots, and threat-intelligence feeds.

EPSS is most useful for prioritizing patch backlog among CVEs that all have moderate-to-high CVSS scores. Because CVSS scores are static technical-impact ratings — and because most published CVEs are never exploited at scale — using EPSS to prioritize among CVSS-high vulnerabilities materially improves remediation efficiency for security teams operating large attack surfaces.

For Melina reporting, EPSS percentile is provided alongside CVSS for each finding mapped to a published CVE. This gives the client a clear basis to prioritize remediation effort against external exploitation pressure.

Related terms

- CVE - CVSS - CWE

Authoritative sources

- EPSS official site (FIRST) - EPSS data API

---